Re: dpkg-sig: sign binary debian archive files

[George Danchev <danchev@spnet.net>]

On Sunday 28 December 2003 16:17, Andreas Barth wrote:
--cut--
> similar. I remember also a discussion with doogie about "make it in an
> extra package or as part of dpkg (source package)?" where I got
> something like: Show usable code in an extra package, and if it works
> (and is actually used), it's possible to move that to dpkg later on.

Perhaps that had being discused before, that patch [1] had being introduced 
and merged. As far as I can see it is in dpkg src tree and interacts with the 
package of debsig-verify and also described in securing-debian-howto.

> So, for me the situation is this:
> - If the dpkg-maintainers ask me to change name I'll of course do this.
> - I'll try to move the code to src:dpkg if dpkg-sig is really used
>   (which I assume and hope); otherwise, we won't need an unused
>   package in the archive.

As I understand this is an alternative of the above patch+debsig-verify story. 
Isn't it a little bit confusing to have 2 methods for per-deb signing/
checking. 

The situation with apt (treating the per-distributon-releases) is almost 
similar, or there is some differences between apt-check-sigs [2] and the 
changes applied to apt-0.6.x apt-0.5.17 branches.

> I hope this is ok.

Possitive. I (personally) like your code, but reading the relevant part of 
securing-debian-howto and looking at the debian archives I still see 2 
options available for "per-deb" and 2 options available for "per-archive" 
signaturing. Debian has been missing that sigs stoy for years, but presently 
there is an avalanche of such code introduced ... now what ...voting ?

[1] http://lists.debian.org/debian-dpkg/2001/debian-dpkg-200103/msg00024.html
[2] http://people.debian.org/~ajt/apt-check-sigs
-- 
pub  4096R/0E4BD0AB 2003-03-18 <keyserver.bu.edu>
1AE7 7C66 0A26 5BFF DF22 5D55 1C57 0C89 0E4B D0AB