[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Revival of the signed debs discussion

Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de> writes:

> Thomas Viehmann <tv@beamnet.de> writes:
> > Hi.
> > 
> > Goswin von Brederlow wrote:
> > > PS: I favour method C and would esspecially like some feedback on the
> > > technical aspect.  Can a "_deb_signature" file be savely added to the
> > > end of a deb without breaking existing tools (apt/dpkg/dinstall)?
> > 
> > I'd favor C, too. (And with be I'd prefer "cat *.changes" over "tar" if
> > it's gonna be B...)
> > 
> > However: As "md5sum my.deb ; ar q my.deb _deb_signature ; ar d my.deb
> > _deb_signature ; md5sum my.deb"  gives two different lines, I'd think
> > signing the individual members of the deb, not the deb in itself is
> > preferable (or sign a list of md5sum's or whatever). (Even if there is
> > some way to restore the old deb, I'd think something like the above
> > should be possible.)
> I suggest making the signature a rfc822 formated file including some
> aditional information about the build environment:

Actually drop this in favour iof debsigs.


Reply to: