[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Revival of the signed debs discussion

Andreas Barth <aba@not.so.argh.org> writes:

> * Goswin von Brederlow (brederlo@informatik.uni-tuebingen.de) [031204 15:10]:
> > Andreas Barth <aba@not.so.argh.org> writes:
> > > Ok?
> > Sounds ok but the upload rules can be tightened much much later. First
> > we have to get signing started, which means fixing apt-utils or
> > debsigs or preferably both. And of cause change policy to
> > allow/suggest it.
> I want to know before going on a trip where this trip is suggested to
> end. Of course, after knowing, we should really start with the first
> steps. And these are, as you say:
> - Fix apt-utils

Patch existing.

> - Sign md5sum-files instead of the concatenated binaries (to allow for
>   reomte signing)

That would be a design change in debsigs and debsigs-verify. Small
one. Afaik its still being looked into splitting gpg itself for remote
signing. The md5sum-file signing would be much simpler though.

> - Change policy
> And don't forget: Start to sign as soon as the toolchain is ready for
> it.

I made a little mirror with signed debs. Without preconfiguring or
with the one line patch to apt-utils it works fine. I'm was working on
a debsigs patch for more conform debs, actually a dar (debian ar or
deb ar) binary that supports deb archive ar files as far as debsigs
needs it, when the new opteron arrived. New toys allways distract.


Reply to: