[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: dpkg-sig support wanted?

>>>>> "Matthew" == Matthew Palmer <mpalmer@debian.org> writes:

    Matthew> I'm keenly interested in per-package signatures for
    Matthew> Debian packages -- I think they're a great idea and it's
    Matthew> a pity that they haven't received more interest.

Same here.

I would really like to see all packages signed, not just the source
code and not just the archive (if any) they came from.

I see advantages:

* ability to check downloaded binary package even if it no longer
  exists in latest archive.

* ability to trace the source of a binary package in a secure way,
  whether it was built by a maintainer, automatically built by an
  autobuilder (which one?), or built by some 3rd party.

  yes - I realize some people consider automatic signing by an
  autobuilder to be "insecure" - however I think it is more secure
  then not having any signature - when deciding on how much you trust
  it you need to take into account the source. Besides, I believe the
  archive is already signed automatically anyway.

* this can occur without trying to look up the *.changes file
  (assuming it still exists - for packages never uploaded to Debian,
  maybe not).

* others I am too lazy to think of.

    Matthew> I've never seen dpkg-sig mentioned before, only debsigs,
    Matthew> so I'm not familiar with the tool itself, but the concept
    Matthew> is one that needs a lot more exposure.

I would speculate debsigs got a name change to dpkg-sig. Can somebody
confirm or deny?
Brian May <bam@debian.org>

Reply to: