Re: Revival of the signed debs discussion
Goswin von Brederlow <firstname.lastname@example.org> writes:
> Thomas Viehmann <email@example.com> writes:
> > Hi.
> > Goswin von Brederlow wrote:
> > > PS: I favour method C and would esspecially like some feedback on the
> > > technical aspect. Can a "_deb_signature" file be savely added to the
> > > end of a deb without breaking existing tools (apt/dpkg/dinstall)?
> > I'd favor C, too. (And with be I'd prefer "cat *.changes" over "tar" if
> > it's gonna be B...)
> > However: As "md5sum my.deb ; ar q my.deb _deb_signature ; ar d my.deb
> > _deb_signature ; md5sum my.deb" gives two different lines, I'd think
> > signing the individual members of the deb, not the deb in itself is
> > preferable (or sign a list of md5sum's or whatever). (Even if there is
> > some way to restore the old deb, I'd think something like the above
> > should be possible.)
> I suggest making the signature a rfc822 formated file including some
> aditional information about the build environment:
Actually drop this in favour iof debsigs.