Re: debsigs

To: Ben Collins <bcollins@debian.org>
Cc: debian-devel@lists.debian.org
Subject: Re: debsigs
From: Brian May <bam@debian.org>
Date: Wed, 27 Mar 2002 12:06:54 +1100
Message-id: <[🔎] 20020327010653.GA7441@snoopy.apana.org.au>
Mail-followup-to: Brian May <bam@debian.org>, Ben Collins <bcollins@debian.org>, debian-devel@lists.debian.org
In-reply-to: <[🔎] 20020327004655.GF19032@blimpo.internal.net>
References: <[🔎] Pine.LNX.4.44.0203191529580.4094-100000@tpo2.sourcepole> <[🔎] 73f2.3c97664c.da2fb@roy.gaast.net> <[🔎] 1016569697.2991.18.camel@altair> <[🔎] 87r8mfm39u.fsf@CERT.Uni-Stuttgart.DE> <[🔎] 20020321000430.GA7904@snoopy.apana.org.au> <[🔎] 20020321052420.GC20722@blimpo.internal.net> <[🔎] 20020321053930.GA12689@snoopy.apana.org.au> <[🔎] 20020327004655.GF19032@blimpo.internal.net>

On Tue, Mar 26, 2002 at 07:46:55PM -0500, Ben Collins wrote:
> > Another comment: how is this/will this be intergrated with something
> > like apt-get? Will it be possible to have rules like "package x needs
> > to comply with policy x, package y needs to comply with policy y, all
> > others need to comply with the Debian release policy for woody?"
> 
> No, read the docs. The policy is enforced by the origin and policy files
> (IOW, we decide it, it isn't arbitrarily up to the user). Dpkg has the
> ability to invoke the sig checker (not apt).

My interpretation of the docs + that statement (and I haven't seen any
docs that say checking will be done in dpkg FYI, so I might be wrong) is
that dpkg just gets a boolean value: false: no policy is valid for this
package; or true: at least one policy is valid for the package.

So what will happen if I want to use debian woody (assume it will
support this for the purpose of discussion) for all packages, but I
want to use the version of mozilla that somebody else (lets say X) has
compiled and put online their website?

This *is* something which is arbitrarily and needs to be decided
by the user.

Just because I trust person X to provide a good copy of mozilla doesn't
mean that I want to suddenly start receiving their compiled copies of,
say libc6 from their website too.

I have a number of ideas how this could be solved, but would be
interested if anybody else has thought about these issues first.
-- 
Brian May <bam@debian.org>

-- 
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Follow-Ups:
- Re: debsigs
  - From: Ben Collins <bcollins@debian.org>

References:
- ITI: HTTPS method for apt
  - From: "Tomas Pospisek's Mailing Lists" <tpo2@sourcepole.ch>
- Re: ITI: HTTPS method for apt
  - From: Wilmer van der Gaast <lintux@bigfoot.com>
- Re: ITI: HTTPS method for apt
  - From: Paolo Redaelli <paolo.redaelli@libero.it>
- Re: ITI: HTTPS method for apt
  - From: Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>
- Re: ITI: HTTPS method for apt
  - From: Brian May <bam@debian.org>
- Re: ITI: HTTPS method for apt
  - From: Ben Collins <bcollins@debian.org>
- Re: debsigs
  - From: Brian May <bam@debian.org>
- Re: debsigs
  - From: Ben Collins <bcollins@debian.org>

Prev by Date: Re: debsigs
Next by Date: Re: debsigs
Previous by thread: Re: debsigs
Next by thread: Re: debsigs
Index(es):
- Date
- Thread