Re: Revival of the signed debs discussion
Andreas Barth <firstname.lastname@example.org> writes:
> * Goswin von Brederlow (email@example.com) [031204 15:10]:
> > Andreas Barth <firstname.lastname@example.org> writes:
> > > Ok?
> > Sounds ok but the upload rules can be tightened much much later. First
> > we have to get signing started, which means fixing apt-utils or
> > debsigs or preferably both. And of cause change policy to
> > allow/suggest it.
> I want to know before going on a trip where this trip is suggested to
> end. Of course, after knowing, we should really start with the first
> steps. And these are, as you say:
> - Fix apt-utils
> - Sign md5sum-files instead of the concatenated binaries (to allow for
> reomte signing)
That would be a design change in debsigs and debsigs-verify. Small
one. Afaik its still being looked into splitting gpg itself for remote
signing. The md5sum-file signing would be much simpler though.
> - Change policy
> And don't forget: Start to sign as soon as the toolchain is ready for
I made a little mirror with signed debs. Without preconfiguring or
with the one line patch to apt-utils it works fine. I'm was working on
a debsigs patch for more conform debs, actually a dar (debian ar or
deb ar) binary that supports deb archive ar files as far as debsigs
needs it, when the new opteron arrived. New toys allways distract.