Re: Revival of the signed debs discussion
* Wouter Verhelst (firstname.lastname@example.org) [031202 19:40]:
> As much as I like this idea in principle, storing signatures inside
> .debs has a serious problem: it won't work for us buildd maintainers.
Workability for the buildd maintainers is IMHO _certainly_ one
> As I explain in my document on wanna-build (usually at
> http://people.debian.org/~wouter/wanna-build-states, but due to some
> problems with that machine temporarily currently at
> http://www.grep.be/wanna-build-states.html too), buildd maintainers do
> not manually log in to their autobuilder to sign each and every .changes
> on its hard disk; instead, they extract the .changes file from the mails
> of successful messages sent to them (and to email@example.com,
> which processes them into what people can look up on
> http://buildd.debian.org), sign that, and send it back. In reply, the
What checks do you do to such a package before signing?
> So unless you have a suggestion that would solve this particular issue,
> I'm afraid this idea won't work in practice.
Two suggestions come to my mind. However, I can't judge how useful
they are in reality.
Signing by the buildd:
The buildd could sign the debs by a buildd-key (one key for each
buildd and each year). They could sign e.g. after they get the changes
file back signed by the build admin. The debian archive scripts
accepts packages signed by a buildd-key only if it is a binary package
for this architecture, the key is valid (i.e. in the right year), and
this package has been handed out to this autobuilder for building.
Creating special helper scripts:
It could be possible to extract a small file (more or less like the
current changes file) out of each deb. So you could just sign this
file, and sent it back to the buildd. The buildd would then extract
the signature, and include it into the deb before upload. This would
however need to change the way debsign works: Currently debsign makes
a simple binary stream out of the members of the ar. Instead of this,
debsign should create e.g. a md5sum-file (like the current changes,
but "one level lower") out of the binaries, and then sign this file.
It is possible to write a verify-script that could accept the old and
the new verifying-method.
PGP 1024/89FB5CE5 DC F1 85 6D A6 45 9C 0F 3B BE F1 D0 C5 D1 D9 0C