[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: debsigs

On Thu, Mar 21, 2002 at 12:24:20AM -0500, Ben Collins wrote:
> Wichert and I are going to start pushing package sigs post-woody. We

Excellent!

> have the tools, we just need two things:

Last I checked, I thought we still needed support in dpkg-buildpackage?
I think that there was a bug saying it would get fixed in the next major
release of dpkg.

> 1) Crypto-in-main (any day now)
> 2) Policy

I just have several comments on this debsigs in general. There currently
is the requirement that every package have a origin signature in order
to verify.

I think it should be possible to verify a deb package that only has
a maint signature. This could be useful, eg. for packages which you
only intend to distribute to friends, and don't want to appear, for
instance, as part of Debian. True, you could sign it twice, and add a
"maint" signature as well as a "origin" signature, but this seems a bit
pointless (IMHO)...

Another comment: how is this/will this be intergrated with something
like apt-get? Will it be possible to have rules like "package x needs
to comply with policy x, package y needs to comply with policy y, all
others need to comply with the Debian release policy for woody?"
Reply to: