[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: debsigs

On Tue, Mar 26, 2002 at 07:46:55PM -0500, Ben Collins wrote:
> > Another comment: how is this/will this be intergrated with something
> > like apt-get? Will it be possible to have rules like "package x needs
> > to comply with policy x, package y needs to comply with policy y, all
> > others need to comply with the Debian release policy for woody?"
> No, read the docs. The policy is enforced by the origin and policy files
> (IOW, we decide it, it isn't arbitrarily up to the user). Dpkg has the
> ability to invoke the sig checker (not apt).

My interpretation of the docs + that statement (and I haven't seen any
docs that say checking will be done in dpkg FYI, so I might be wrong) is
that dpkg just gets a boolean value: false: no policy is valid for this
package; or true: at least one policy is valid for the package.

So what will happen if I want to use debian woody (assume it will
support this for the purpose of discussion) for all packages, but I
want to use the version of mozilla that somebody else (lets say X) has
compiled and put online their website?

This *is* something which is arbitrarily and needs to be decided
by the user.

Just because I trust person X to provide a good copy of mozilla doesn't
mean that I want to suddenly start receiving their compiled copies of,
say libc6 from their website too.

I have a number of ideas how this could be solved, but would be
interested if anybody else has thought about these issues first.
Brian May <bam@debian.org>

To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: