Re: dpkg-sig support wanted?
Marc Haber <firstname.lastname@example.org> wrote:
> On Thu, 24 Nov 2005 10:51:55 +0000, Roger Leigh
> <email@example.com> wrote:
>>John Hasler <firstname.lastname@example.org> writes:
>>> Marc Haber writes:
>>>> So, most of the DD's do not care about security at all.
>>> I think that DD's do not use dpkg-sig and debsigs because they believe them
>>> to be hard to use and not supported by the infrastructure or by policy.
>>ACK. I certainly care about security, and I'll sign my packages just
>>as soon as debsign supports it.
> So you wouldn't use dpkg-sig even if it were still supported by the
I think these are bogus questions. I am a complete non-expert in these
security things. I am sure that if the project comes to the conclusion
that signing debs is a good thing, more people will do it irrespective
of how convenient the procedure is in the beginning. If it finds its
way into the Developer's Reference, even more will use it (and start
integrating it into debsign or whatever). To me, it's not a question of
whether it's easy to use, but rather whether I can be convinced that it
is worth it.
So far, I could not draw any conclusion from this discussion - both the
counter and the pro arguments contain some truth, and uneducated as I am
I cannot judge at the moment.
However, if there was no technical reason to reject signed binary
packages, it seems to me as if making that change to DAK is an abuse of
ftpmaster's powers: This is a design decision, and it should be made
after thorough public discussion, either by finding a consensus or by
using our constitutional means of making a decision. Changes should not
be made in advance, except if there is an unrelated technical reason (I
don't know whether this is the case).
Inst. f. Biochemie der Univ. Zürich