[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Revival of the signed debs discussion

* Goswin von Brederlow (brederlo@informatik.uni-tuebingen.de) [031202 04:55]:
> Andreas Barth <aba@not.so.argh.org> writes:
> > Technical details should IMHO be discussed later, but a sample
> > passport could look like:
> > 
> > accepted by katie on Mon,  1 Dec 2003 20:34:58 +0000 because of good signature of DD, KeyID 0x01234567
> > build by DD on Sun, 30 Nov 2003 14:34:33 +0100
> > mgetty-voice_1.1.30-6_i386.deb
> > 450b2b4ffa0be49b43f7358099117f7d control.tar.gz
> > fb00a05d140ec3e830d6227f3fdd743d data.tar.gz

> All debs would contain the same string "accepted by katie on * because
> of good signature of DD, KeyID *". Thats a lot of bytes wasted.

There is a mere misunderstanding. If you singned the deb, katie would
write "accepted by katie on * because of good signature of Goswin von
Brederlow <brederlo@informatik.uni-tuebingen.de>, KeyID 0x...". And of
course, this string should be made shorter, but that's something we
can at the moment leave for later discussion IMHO. It could e.g. be:
"katie: 2003-...: sig ok, Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>, 0x...."

> The date is already stored in the ar archive so thats wasted too.

Almost everything is "already stored in the ar archive". But not in a
secure way. The question is just: Which information is needed to be
secured. And I for myself want the day something was transfered to the
pool to be signed.

> Each signing instance should have an unique key. They key ID then
> identifies who signed it and the reason (being allways the same) could
> be documented in some Readme.

The reason is not always necessarily the same, e.g. if someone
sponsors someone else. However, this could be solved with your proposal.

> I agree with you that every instance along the way to the archive
> should sign the package:


> debsigs allows for 10 chars for the name of the signature.
> 8 chars would be key ID.
> 1-2 chars could be used to denote the reason of the signature:
> DM - DD maintainer
> NM - non DD maintainer
> DN - non maintainer upload by a DD
> NN - non maintainer non dd upload
> SP - sponsor
> BD - buildd
> BA - buildd admin
> DI - deinstall

Good idea.

   PGP 1024/89FB5CE5  DC F1 85 6D A6 45 9C 0F  3B BE F1 D0 C5 D1 D9 0C

Reply to: