Re: dpkg-sig support wanted?
Simon Richter <Simon.Richter@hogyros.de> writes:
>>>IF this means we can switch the effort to a detached signature that is more
>>>powerful than a .changes file (or we are allowed to have multiple signatures
>>> in a .changes file),
> That is already possible with gnupg, just not well-documented; I'm not
> entirely sure what interesting breakage would occur if one were to
> upload a changes file with multiple signatures.
It gives a parse error and the DAK rejects the file.
>>>where dpkg would simply refuse
>>>per user-set policy any non-signed deb or any deb without a specific
>> I'm sorry, but you're back to the snakeoil use for deb sigs. Expecting
>> a signature by a random Debian developer to mean something is not
A signature in the deb by a random developer is as trustworthy as the
changes file and you already trust that. So we are going from snakeoil
to snakoil. No harm done.
> That's why there can be multiple signatures. There would be one from
> the maintainer/buildd, a few from the Debian archive (for example, you
> could add one sig for "officially in Debian unstable", one for
> "migrated to testing" and one for "in a stable release") and if the
> idea of adding description/template translations later on catches on,
> also some from the translators/translation system.
Although that would alter the packages md5sum and even alter a package
while still being in a distribution (the unstable deb would suddenly
gain a signature). It would be a big change to allow this.