[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: GroundZero (third party deb repository)



On Thu, 12 Feb 1998, Christian Schwarz wrote:

> I agree. Note, that this topic has been discussed WRT the KDE packages on
> debian-policy some time ago. We had a consensus that it doesn't make sense
> to define a policy for non-Debian people, since we can't control what they
> are releasing.

I think is quite bad not to have some sort of solution to this. Even if
the 3rd party wanted to play nicely they couldn't because we have NO way
to allow them to.
 
> Thus, we had the idea of implementing the `Origin:' tag on the packages
> which would, together with digitally signed packages, give our package
> tools (dpkg, dselect, deity) a chance to check for packages which come
> from another source--even if they use the same package name and/or
> version.

How about this, we add the Origin tag now and worry about signatures
later. The trouble is that the Origin field has to be inside the .deb
which will probably delay adoption time. At the very least we can tell
groups like KDE, GroundZero and Fuller than they should be putting origin
fields on their packages.

The Origin field isn't required for signatures and signatures are not
required for the origin feild.

> How hard would it be to implement the Origin/g10-signature check for
> deity?

The origin field should be quite doable, A sig check is also easy
providing there is the software to do it, check the key right after (or
instead of?) the md5 check on the download. 

Jason


--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .


Reply to: