[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: dpkg-sig support wanted?

Simon Richter <Simon.Richter@hogyros.de> writes:

>>>IF this means we can switch the effort to a detached signature that is more
>>>powerful than a .changes file (or we are allowed to have multiple signatures
>>> in a .changes file),
> That is already possible with gnupg, just not well-documented; I'm not
> entirely sure what interesting breakage would occur if one were to
> upload a changes file with multiple signatures.

It gives a parse error and the DAK rejects the file.

>>>where dpkg would simply refuse
>>>per user-set policy any non-signed deb or any deb without a specific
>> I'm sorry, but you're back to the snakeoil use for deb sigs. Expecting
>> a signature by a random Debian developer to mean something is not
>> reasonable.

A signature in the deb by a random developer is as trustworthy as the
changes file and you already trust that. So we are going from snakeoil
to snakoil. No harm done.

> That's why there can be multiple signatures. There would be one from
> the maintainer/buildd, a few from the Debian archive (for example, you
> could add one sig for "officially in Debian unstable", one for
> "migrated to testing" and one for "in a stable release") and if the
> idea of adding description/template translations later on catches on,
> also some from the translators/translation system.

Although that would alter the packages md5sum and even alter a package
while still being in a distribution (the unstable deb would suddenly
gain a signature). It would be a big change to allow this.

>     Simon

Reply to: