Wouter Verhelst wrote: > Requiring us to log in to the autobuilder to sign the .deb remotely is > not acceptable, for two reasons: > * it's way too much work for most of us > * it requires copying the secret key over, which is, uh, a bad idea. > > An alternative would be to copy over the .debs, sign them on the local > hard disk, and upload them from there. That won't work either; it only > solves the second problem (as you don't have to copy the secret key > over), not the first, and it adds a bandwidth-related (if I have to > download all packages arrakis successfully builds, have to sign them > locally, and upload them again, I might exceed the download quota my ISP > has implemented; requesting a higher quota involves paying for it) > > So unless you have a suggestion that would solve this particular issue, > I'm afraid this idea won't work in practice. There is nothing in signed debs that prevents you from generating the fingerprint on the buildd, and mailing it to you for remote signing. It does require a two step process of first signing the debs, then their changes file, but this seems ameanable to automation. -- see shy jo
Attachment:
signature.asc
Description: Digital signature