Re: Revival of the signed debs discussion
* Goswin von Brederlow (firstname.lastname@example.org) [031202 04:55]:
> Andreas Barth <email@example.com> writes:
> > Technical details should IMHO be discussed later, but a sample
> > passport could look like:
> > accepted by katie on Mon, 1 Dec 2003 20:34:58 +0000 because of good signature of DD, KeyID 0x01234567
> > build by DD on Sun, 30 Nov 2003 14:34:33 +0100
> > mgetty-voice_1.1.30-6_i386.deb
> > 450b2b4ffa0be49b43f7358099117f7d control.tar.gz
> > fb00a05d140ec3e830d6227f3fdd743d data.tar.gz
> All debs would contain the same string "accepted by katie on * because
> of good signature of DD, KeyID *". Thats a lot of bytes wasted.
There is a mere misunderstanding. If you singned the deb, katie would
write "accepted by katie on * because of good signature of Goswin von
Brederlow <firstname.lastname@example.org>, KeyID 0x...". And of
course, this string should be made shorter, but that's something we
can at the moment leave for later discussion IMHO. It could e.g. be:
"katie: 2003-...: sig ok, Goswin von Brederlow <email@example.com>, 0x...."
> The date is already stored in the ar archive so thats wasted too.
Almost everything is "already stored in the ar archive". But not in a
secure way. The question is just: Which information is needed to be
secured. And I for myself want the day something was transfered to the
pool to be signed.
> Each signing instance should have an unique key. They key ID then
> identifies who signed it and the reason (being allways the same) could
> be documented in some Readme.
The reason is not always necessarily the same, e.g. if someone
sponsors someone else. However, this could be solved with your proposal.
> I agree with you that every instance along the way to the archive
> should sign the package:
> debsigs allows for 10 chars for the name of the signature.
> 8 chars would be key ID.
> 1-2 chars could be used to denote the reason of the signature:
> DM - DD maintainer
> NM - non DD maintainer
> DN - non maintainer upload by a DD
> NN - non maintainer non dd upload
> SP - sponsor
> BD - buildd
> BA - buildd admin
> DI - deinstall
PGP 1024/89FB5CE5 DC F1 85 6D A6 45 9C 0F 3B BE F1 D0 C5 D1 D9 0C