Re: Packages and Signatures, a summary
A nice discussion.
> <Manoj> But we need to get dpkg changed, then
> <Culus> I like this
> <joeyh> er, is that a word?
> <Manoj> joeyh: no
> <Culus> Manoj: Naw, all this is external to dpkg
> <aj> ``Consensed Milk -- Preferred beverage of Debian developers'' ?
> <xtifr> no, not a word! please, god, make it stay not a word! :)
> <aj> Culus: huh? how to you have a signed .deb without changing
> <Manoj> Culus: How do packages get signed, then?
> <Culus> we wrap dpkg with trusted-dpkg using the APT
> reconfiguration routines which does a trust db check.
> <joeyh> xtifr: well, it'd be used so rarely, it doesn't matter
> <Culus> We use the apt preinstall checks to hook the trust edtitor
> <xtifr> joeyh: :)
> <Culus> and we use joeyhs new slang gui to write the editor
> <joeyh> aj: dpkg-deb -b is all that needs changed.
> <Manoj> Culus: not the check -- thre creation part
I disagree with this. dpkg should have some rudimentary support to verify a
signature. I might want to use this feature on a machine where I don't have
apt installed, or on a platform where apt is not ported to. If apt can
support advanced features, that's nice, but dpkg is still our central
packaging system, and should support all critical features.
At least options to extract the signature from the package, and a script to
automatically check the signature with a given keyring are necessary, I think.
`Rhubarb is no Egyptian god.' Debian http://www.debian.org Check Key server
Marcus Brinkmann GNU http://www.gnu.org for public PGP Key
Marcus.Brinkmann@ruhr-uni-bochum.de, firstname.lastname@example.org PGP Key ID 36E7CD09