Re: dpkg-sig support wanted?
On Thu, 24 Nov 2005, Anthony Towns wrote:
> On Wed, Nov 23, 2005 at 04:37:05PM -0200, Henrique de Moraes Holschuh wrote:
> > On Thu, 24 Nov 2005, Anthony Towns wrote:
> > > Personally, I think it's cryptographic snake oil, at least in so far
> > A signed deb has a seal of procedence and allows one to track the path it
> > made through the system, and who changed it.
> That's what the .changes file is for.
Well, assuming .changes is not snake-oil, then why should in-deb sigs be
called snake-oil? After all, according to you they essentially do the same
Still, .changes file do not carry all the information in-deb sigs do
(although they could, if we sign the .changes files more than once -- but
changes are DAK will croak on that too). They're not stored along with the
.debs anywhere (we could change that too, I suppose... but I doubt one extra
file per source in the archive will be welcome). They are *far* from being
as simple to handle as in-deb signatures.
Not to mention that doing the inverse path (from .deb to .changes) is far
more complicated than using in-deb sigs, and is only possible in fact if you
either always respect some sort of naming convention to go from source
package to .changes (and this *IS* a kludge), or if you read all .change
files hunting for the file you want in the MD5s.
> Uh, packages not uploaded to the official Debian archive can do whatever
> they want.
Sure. But I for one won't be building all debs twice, and many others won't
either. And proper support for in-deb signatures means added functionality
in a lot of other utilities that won't happen if Debian doesn't use in-deb
So, it makes a damn big difference if the Debian archive accepts signed debs
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot