[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: dpkg-sig: sign binary debian archive files

* George Danchev (danchev@spnet.net) [031228 17:25]:
> On Sunday 28 December 2003 16:17, Andreas Barth wrote:
> --cut--
> > similar. I remember also a discussion with doogie about "make it in an
> > extra package or as part of dpkg (source package)?" where I got
> > something like: Show usable code in an extra package, and if it works
> > (and is actually used), it's possible to move that to dpkg later on.

> Perhaps that had being discused before, that patch [1] had being introduced 
> and merged. As far as I can see it is in dpkg src tree and interacts with the 
> package of debsig-verify and also described in securing-debian-howto.

No. dpkg-sig is discussed and written in 2003, and that patch is from

> > So, for me the situation is this:
> > - If the dpkg-maintainers ask me to change name I'll of course do this.
> > - I'll try to move the code to src:dpkg if dpkg-sig is really used
> >   (which I assume and hope); otherwise, we won't need an unused
> >   package in the archive.
> As I understand this is an alternative of the above patch+debsig-verify story.

No. The verification capabilities of dpkg-sig are aequivalent to the
package extraction capabilities of dpkg-deb - very usefull if one
needs such a thing, but not the default usage in daily operation. For
the everyday signature verification I recommend a more high-level tool
than dpkg-sig.

> Isn't it a little bit confusing to have 2 methods for per-deb signing/
> checking. 

Well, there were some issues:
- don't break the deb when adding signatures
- protocol must allow the possibility of remote signing
(The second is a requirement of more than one buildd-admin - and they
know probably much better than I what they need.)

So, because of the second issue, we needed a change in the signing
protocol. A draft of the signing protocol is available at
http://dpkg-sig.turmzimmer.net/policy.html and dpkg-sig is one (the ?)
implementation of this. There is no problem in adding code to
debsig-verify that allows verification of packages signed with
dpkg-sig - I just prefered to start with a tiny "sign and verify by
hand"-utility first.

When and if this tool is liked and accepted by the community, than the
next changes (dpkg-buildpackage, dinstall, debsig-verify, ...) should
start. However, I prefer to make step after step.

   PGP 1024/89FB5CE5  DC F1 85 6D A6 45 9C 0F  3B BE F1 D0 C5 D1 D9 0C

Reply to: