On Thu, Mar 21, 2002 at 04:39:30PM +1100, Brian May wrote:
> On Thu, Mar 21, 2002 at 12:24:20AM -0500, Ben Collins wrote:
> > Wichert and I are going to start pushing package sigs post-woody. We
> > have the tools, we just need two things:
> Last I checked, I thought we still needed support in dpkg-buildpackage?
> I think that there was a bug saying it would get fixed in the next major
> release of dpkg.
Dunno. IMO, the main tool we need is one which can do all package
related signing (.dsc, .changes and .deb), only requiring one time
passphrase entry (I can only imagine how Branden will feel having to
sign packages for X builds :)
> > 1) Crypto-in-main (any day now)
> > 2) Policy
> I just have several comments on this debsigs in general. There currently
> is the requirement that every package have a origin signature in order
> to verify.
> I think it should be possible to verify a deb package that only has
> a maint signature. This could be useful, eg. for packages which you
> only intend to distribute to friends, and don't want to appear, for
> instance, as part of Debian. True, you could sign it twice, and add a
> "maint" signature as well as a "origin" signature, but this seems a bit
> pointless (IMHO)...
That's easy enough. Just have one sig, as the origin sig (your sig) and
send out a policy just for that sig.
> Another comment: how is this/will this be intergrated with something
> like apt-get? Will it be possible to have rules like "package x needs
> to comply with policy x, package y needs to comply with policy y, all
> others need to comply with the Debian release policy for woody?"
No, read the docs. The policy is enforced by the origin and policy files
(IOW, we decide it, it isn't arbitrarily up to the user). Dpkg has the
ability to invoke the sig checker (not apt).
/ Ben Collins -- Debian GNU/Linux \
` firstname.lastname@example.org '
To UNSUBSCRIBE, email to email@example.com
with a subject of "unsubscribe". Trouble? Contact firstname.lastname@example.org