Re: dpkg-sig: sign binary debian archive files
* George Danchev (firstname.lastname@example.org) [031228 17:25]:
> On Sunday 28 December 2003 16:17, Andreas Barth wrote:
> > similar. I remember also a discussion with doogie about "make it in an
> > extra package or as part of dpkg (source package)?" where I got
> > something like: Show usable code in an extra package, and if it works
> > (and is actually used), it's possible to move that to dpkg later on.
> Perhaps that had being discused before, that patch  had being introduced
> and merged. As far as I can see it is in dpkg src tree and interacts with the
> package of debsig-verify and also described in securing-debian-howto.
No. dpkg-sig is discussed and written in 2003, and that patch is from
> > So, for me the situation is this:
> > - If the dpkg-maintainers ask me to change name I'll of course do this.
> > - I'll try to move the code to src:dpkg if dpkg-sig is really used
> > (which I assume and hope); otherwise, we won't need an unused
> > package in the archive.
> As I understand this is an alternative of the above patch+debsig-verify story.
No. The verification capabilities of dpkg-sig are aequivalent to the
package extraction capabilities of dpkg-deb - very usefull if one
needs such a thing, but not the default usage in daily operation. For
the everyday signature verification I recommend a more high-level tool
> Isn't it a little bit confusing to have 2 methods for per-deb signing/
Well, there were some issues:
- don't break the deb when adding signatures
- protocol must allow the possibility of remote signing
(The second is a requirement of more than one buildd-admin - and they
know probably much better than I what they need.)
So, because of the second issue, we needed a change in the signing
protocol. A draft of the signing protocol is available at
http://dpkg-sig.turmzimmer.net/policy.html and dpkg-sig is one (the ?)
implementation of this. There is no problem in adding code to
debsig-verify that allows verification of packages signed with
dpkg-sig - I just prefered to start with a tiny "sign and verify by
When and if this tool is liked and accepted by the community, than the
next changes (dpkg-buildpackage, dinstall, debsig-verify, ...) should
start. However, I prefer to make step after step.
PGP 1024/89FB5CE5 DC F1 85 6D A6 45 9C 0F 3B BE F1 D0 C5 D1 D9 0C