[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Revival of the signed debs discussion

Joey Hess <joeyh@debian.org> writes:

> John Goerzen wrote:
> > Please check out the debsigs package.  I wrote it when I worked at
> > Progeny back in 2001, and Branden Robinson maintains it these days.  It
> > does exactly that.
> Unfortunatly, the method debsigs uses to add the signature to the .deb
> provuces a file that apt (including apt-ftparchive) does not consider to
> be a debian package. This makes it kind of hard to upload the result to
> the debian archive. :-(

I tried it out and the problem is in the pre-configuring of packages
with debconf. More to the point apt-extracttemplates can't handle the
difference between an dpkg-deb and ar created ar archive (ar has a
trailing '/' after the filename).

I submitted a one line patch to apt to fix this and behave like
dpkg. I hope this gets added soon. Till then its either signed debs or
pre-configuring of packages.

> I filed bugs about this a long time ago, it is apparently blocked
> waiting on the mythical dpkg 2.0 which is supposed to have its own
> external ar program that generates more valid debs. See the bugs of apt,
> dpkg, and/or debsigs (I forget which, and am offline) for details.
> I'm *sure* there is some way around it that does not involve waiting on
> dpkg 2.0, of course, if someone has the energy to work on it.

dpkg-deb could be patched to support modifying debs and debsigs could
be changed to use that instead of using ar. Or debsigs could modify
the ar archive directly without forking ar. There is an CPAN ar module
which could be used. I'm not sure if it uses a trailing '/' too but if
so that would be simple to copy and fix.

Another but not so nice way wouldbe for all signed debs to conflict
with apt-utils.


Reply to: