Re: debsign process

To: Julian Gilbey <J.D.Gilbey@qmw.ac.uk>
Cc: debian-devel@lists.debian.org
Subject: Re: debsign process
From: Joey Hess <joey@kitenet.net>
Date: Thu, 31 May 2001 23:23:33 -0400
Message-id: <[🔎] 20010531232333.B12862@kitenet.net>
Mail-followup-to: Julian Gilbey <J.D.Gilbey@qmw.ac.uk>, debian-devel@lists.debian.org
In-reply-to: <[🔎] 20010531090535.A15233@polya>

Julian Gilbey wrote:
> Fun, fun, fun.  There are three different signing programs around at
> present, AFAIK: dpkg-buildpackage, which signs the .dsc and .changes
> files; debsign, which emulates the signing part of dpkg-buildpackage,
> and debsigs, which signs the control.tar.gz and data.tar.gz within the
> .deb itself.  None of them are safe to cache the passphrase (which
> should require a setuid-root binary to allocate safe memory; I note
> that mutt does not do this, though).  Which one would be rewritten?

It would be much nicer if bug #89094 could just be implemented. If gpg
supported signing multiple files in one pass, one of the above could
just use that support and we wouldn't have to worry about another
security issue. (And for free we'd half the existing number of
passphrase entries too..)

(It might be a nice start if James would at least forward the wishlist
upsteam. :-/)

-- 
see shy jo

Reply to:

Follow-Ups:
- Re: debsign process
  - From: James Troup <james@nocrew.org>

References:
- Re: debsign process
  - From: Julian Gilbey <J.D.Gilbey@qmw.ac.uk>

Prev by Date: Re: ITP: squeak-vm, squeak-image, squeak-sources -- A highly portable Smaltalk system
Next by Date: Re: debsign process
Previous by thread: Re: debsign process
Next by thread: Re: debsign process
Index(es):
- Date
- Thread