[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Revival of the signed debs discussion

Op ma 01-12-2003, om 14:34 schreef Goswin von Brederlow:
> Deb signatures method C:
> And now for something completly different. A man with 3 noses. :)
> Instead of keeping extra files with the signature of the deb the
> information could be stored inside the deb itself.

As much as I like this idea in principle, storing signatures inside
.debs has a serious problem: it won't work for us buildd maintainers.

As I explain in my document on wanna-build (usually at
http://people.debian.org/~wouter/wanna-build-states, but due to some
problems with that machine temporarily currently at
http://www.grep.be/wanna-build-states.html too), buildd maintainers do
not manually log in to their autobuilder to sign each and every .changes
on its hard disk; instead, they extract the .changes file from the mails
of successful messages sent to them (and to logs@buildd.debian.org,
which processes them into what people can look up on
http://buildd.debian.org), sign that, and send it back. In reply, the
buildd will move all files mentioned in the .changes to an upload
directory for them to be uploaded. This results in quite a few mails
daily for me, being "just" the admin of 2 (out of 11) m68k autobuilders;
it must be a hell of a lot more for those such as Ryan Murray and James
Troup, who are and/or have been the sole autobuilder maintainers for
multiple architectures.

Requiring us to log in to the autobuilder to sign the .deb remotely is
not acceptable, for two reasons:
* it's way too much work for most of us
* it requires copying the secret key over, which is, uh, a bad idea.

An alternative would be to copy over the .debs, sign them on the local
hard disk, and upload them from there. That won't work either; it only
solves the second problem (as you don't have to copy the secret key
over), not the first, and it adds a bandwidth-related (if I have to
download all packages arrakis successfully builds, have to sign them
locally, and upload them again, I might exceed the download quota my ISP
has implemented; requesting a higher quota involves paying for it)

So unless you have a suggestion that would solve this particular issue,
I'm afraid this idea won't work in practice.

Wouter Verhelst
Debian GNU/Linux -- http://www.debian.org
Nederlandstalige Linux-documentatie -- http://nl.linux.org
"Stop breathing down my neck." "My breathing is merely a simulation."
"So is my neck, stop it anyway!"
  -- Voyager's EMH versus the Prometheus' EMH, stardate 51462.

Attachment: signature.asc
Description: Dit berichtdeel is digitaal ondertekend

Reply to: