[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: dpkg-sig support wanted?

On Wed, Nov 23, 2005 at 11:33:47AM +0100, Florian Weimer wrote:
> * Marc Brockschmidt:
> > Today (or last night, whatever), the dak installation on ftp-master was
> > changed to not accept packages that include more than 3 parts, which are
> > usually the binary version and the compressed control and data
> > tarballs. This means that signed binary packages are rejected.
> This is a pity.  I think dpkg-sig is an important step into the right
> direction: providing more assurances about package integrity to our
> users.

Personally, I think it's cryptographic snake oil, at least in so far
as it relates to Debian. I remain interested in seeing any realistic
demonstration of how a Debian user could reasonably rely on them for
any practical assurance.

> since May 31.  The diff at
> <http://cvs.debian.org/dak/jennifer?root=dak&r1=1.56&r2=1.57> shows
> that the additional check was *removed*, not *added* more than a week
> ago.

Yes; CVS was corrupted in May and hadn't been updated 'til the other
week. http://azure.humbug.org.au/~aj/blog/2005/11/16#2005-11-16-dak

> Since there is no way for Debian Developers to review the way Debian
> packages are created (and it's totally out of question for end users),

buildd.debian.org gives full logs, to developers or users.

> something that provides DD-to-user package signatures at least in some
> cases is very desirable indeed.

debian-devel-changes provides this.


Attachment: signature.asc
Description: Digital signature

Reply to: