[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Revival of the signed debs discussion

Wouter Verhelst wrote:
> Requiring us to log in to the autobuilder to sign the .deb remotely is
> not acceptable, for two reasons:
> * it's way too much work for most of us
> * it requires copying the secret key over, which is, uh, a bad idea.
> An alternative would be to copy over the .debs, sign them on the local
> hard disk, and upload them from there. That won't work either; it only
> solves the second problem (as you don't have to copy the secret key
> over), not the first, and it adds a bandwidth-related (if I have to
> download all packages arrakis successfully builds, have to sign them
> locally, and upload them again, I might exceed the download quota my ISP
> has implemented; requesting a higher quota involves paying for it)
> So unless you have a suggestion that would solve this particular issue,
> I'm afraid this idea won't work in practice.

There is nothing in signed debs that prevents you from generating the
fingerprint on the buildd, and mailing it to you for remote signing. It
does require a two step process of first signing the debs, then their
changes file, but this seems ameanable to automation.

see shy jo

Attachment: signature.asc
Description: Digital signature

Reply to: