[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: dpkg-sig support wanted?

[Erinn Clark]
> Yet just today you filed a bug (#340403) for documentation to be
> included in the package since you were unable to explain dpkg-sig's
> strengths. How is it possible for you to claim something is more secure
> when you don't understand it well enough to say how it's different?

That's unfair and you know it.  It seems he *did* educate himself about
dpkg-sig: "I had to look for a while to find the dpkg-sig FAQ on the
web page."  It is perfectly reasonable to want users to have easy
access to this information, given the rather confusing array of
signature-related packages and options in Debian packaging.

Not knowing the relative advantages of dpkg-sig versus debsigs is
hardly the same thing as being unqualified to speak about the reasons
(or lack thereof) to support signed .debs.  And, from what I
understand, the dak change which proved so contentious broke both
equally.  (Whether Andreas's script counted packages signed with
debsigs as well as those signed with dpkg-sig, I don't know, as I don't
have access to it.)

I do think a feature comparison and compatibility matrix would be
useful to have, between dpkg-buildpackage/debsign (for signing .changes
and .dsc files), debsigs (for signing .deb files), dpkg-sig (for
signing and verifying .deb files) and debsig-verify (for verifying .deb

Attachment: signature.asc
Description: Digital signature

Reply to: