[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: dpkg-sig support wanted?

  [Goswin von Brederlow]
> > Use 2: I have this Ubuntu CD and want to know which debs are from
> >        debian and which got recompiled
> > 
> >   Look for all debs that have a deb signature of the debian archive
> >   (to be added to dinstall at some point).

[Matthew Garrett]
> The answer is "all of them", so this one's not very compelling.

What?  All Ubuntu .deb files went through ftp-master.debian.org at some
point?  I know you can't actually mean that.  Hmmm, perhaps you meant
"none of them"?  If so, that's an Ubuntu-specific answer, because even
if Ubuntu recompiles all packages, many Debian derivative distributions
do not.

Or did you mean signatures on individual debs are not useful for this
purpose since one could instead simply archive the Packages and Release
files for Debian unstable every day between one Ubuntu release and the
next?  While possible, this has approximately the same absurdity factor
as asking users to subscribe to debian-devel-changes and keep enough
mail archives around to verify developer signatures *that* way.  (Yes,
believe it or not, that has actually been proposed!)

Attachment: signature.asc
Description: Digital signature

Reply to: