Re: Revival of the signed debs discussion
Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de> writes:
> Thomas Viehmann <tv@beamnet.de> writes:
>
> > Hi.
> >
> > Goswin von Brederlow wrote:
> > > PS: I favour method C and would esspecially like some feedback on the
> > > technical aspect. Can a "_deb_signature" file be savely added to the
> > > end of a deb without breaking existing tools (apt/dpkg/dinstall)?
> >
> > I'd favor C, too. (And with be I'd prefer "cat *.changes" over "tar" if
> > it's gonna be B...)
> >
> > However: As "md5sum my.deb ; ar q my.deb _deb_signature ; ar d my.deb
> > _deb_signature ; md5sum my.deb" gives two different lines, I'd think
> > signing the individual members of the deb, not the deb in itself is
> > preferable (or sign a list of md5sum's or whatever). (Even if there is
> > some way to restore the old deb, I'd think something like the above
> > should be possible.)
>
> I suggest making the signature a rfc822 formated file including some
> aditional information about the build environment:
Actually drop this in favour iof debsigs.
MfG
Goswin
Reply to: