Re: debsign process

To: debian-devel@lists.debian.org
Subject: Re: debsign process
From: Julian Gilbey <J.D.Gilbey@qmw.ac.uk>
Date: Fri, 1 Jun 2001 09:03:15 +0100
Message-id: <[🔎] 20010601090315.A17346@polya>
In-reply-to: <20010531232333.B12862@kitenet.net>
References: <20010531232333.B12862@kitenet.net>

On Thu, May 31, 2001 at 11:23:33PM -0400, Joey Hess wrote:
> Julian Gilbey wrote:
> > Fun, fun, fun.  There are three different signing programs around at
> > present, AFAIK: dpkg-buildpackage, which signs the .dsc and .changes
> > files; debsign, which emulates the signing part of dpkg-buildpackage,
> > and debsigs, which signs the control.tar.gz and data.tar.gz within the
> > .deb itself.  None of them are safe to cache the passphrase (which
> > should require a setuid-root binary to allocate safe memory; I note
> > that mutt does not do this, though).  Which one would be rewritten?
> 
> It would be much nicer if bug #89094 could just be implemented. If gpg
> supported signing multiple files in one pass, one of the above could
> just use that support and we wouldn't have to worry about another
> security issue. (And for free we'd half the existing number of
> passphrase entries too..)

Wouldn't help much (except for debsigs); as someone's already pointed
out, the .changes file needs the MD5 sum of the *signed* .dsc.

   Julian

-- 
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

         Julian Gilbey, Dept of Maths, Queen Mary, Univ. of London
       Debian GNU/Linux Developer,  see http://people.debian.org/~jdg
  Donate free food to the world's hungry: see http://www.thehungersite.com/

Reply to:

Prev by Date: Re: does search work in ML archives?
Next by Date: Re: /etc getting big
Previous by thread: Re: does search work in ML archives?
Next by thread: Re: debsign process
Index(es):
- Date
- Thread