Re: Revival of the signed debs discussion

To: debian-devel@lists.debian.org
Subject: Re: Revival of the signed debs discussion
From: Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>
Date: 04 Dec 2003 16:36:09 +0100
Message-id: <[🔎] 87he0gbno6.fsf@mrvn.homelinux.org>
In-reply-to: <[🔎] 20031204142013.GC1168@mails.so.argh.org>
References: <[🔎] 8765h0mzk1.fsf@mrvn.homelinux.org> <[🔎] 1070384670.5053.14.camel@worldmusic.grep.be> <[🔎] 20031202200032.GA17680@mails.so.argh.org> <[🔎] 877k1ehbr5.fsf@mrvn.homelinux.org> <[🔎] 20031203090958.GB1223@mails.so.argh.org> <[🔎] 1070485931.903.5.camel@worldmusic.grep.be> <[🔎] 20031204115225.GA1168@mails.so.argh.org> <[🔎] 873cc0d69d.fsf@mrvn.homelinux.org> <[🔎] 20031204142013.GC1168@mails.so.argh.org>

Andreas Barth <aba@not.so.argh.org> writes:

> * Goswin von Brederlow (brederlo@informatik.uni-tuebingen.de) [031204 15:10]:
> > Andreas Barth <aba@not.so.argh.org> writes:
> 
> > > Ok?
>  
> > Sounds ok but the upload rules can be tightened much much later. First
> > we have to get signing started, which means fixing apt-utils or
> > debsigs or preferably both. And of cause change policy to
> > allow/suggest it.
> 
> I want to know before going on a trip where this trip is suggested to
> end. Of course, after knowing, we should really start with the first
> steps. And these are, as you say:
> - Fix apt-utils

Patch existing.

> - Sign md5sum-files instead of the concatenated binaries (to allow for
>   reomte signing)

That would be a design change in debsigs and debsigs-verify. Small
one. Afaik its still being looked into splitting gpg itself for remote
signing. The md5sum-file signing would be much simpler though.

> - Change policy
> 
> And don't forget: Start to sign as soon as the toolchain is ready for
> it.

I made a little mirror with signed debs. Without preconfiguring or
with the one line patch to apt-utils it works fine. I'm was working on
a debsigs patch for more conform debs, actually a dar (debian ar or
deb ar) binary that supports deb archive ar files as far as debsigs
needs it, when the new opteron arrived. New toys allways distract.

MfG
        Goswin

Reply to:

References:
- Revival of the signed debs discussion
  - From: Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>
- Re: Revival of the signed debs discussion
  - From: Wouter Verhelst <wouter@grep.be>
- Re: Revival of the signed debs discussion
  - From: Andreas Barth <aba@not.so.argh.org>
- Re: Revival of the signed debs discussion
  - From: Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>
- Re: Revival of the signed debs discussion
  - From: Andreas Barth <aba@not.so.argh.org>
- Re: Revival of the signed debs discussion
  - From: Wouter Verhelst <wouter@grep.be>
- Re: Revival of the signed debs discussion
  - From: Andreas Barth <aba@not.so.argh.org>
- Re: Revival of the signed debs discussion
  - From: Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>
- Re: Revival of the signed debs discussion
  - From: Andreas Barth <aba@not.so.argh.org>

Prev by Date: Re: Revival of the signed debs discussion
Next by Date: Re: Debian packages and freedesktop.org (Gnome, KDE, etc) menu entries
Previous by thread: Re: Revival of the signed debs discussion
Next by thread: Re: Revival of the signed debs discussion
Index(es):
- Date
- Thread