Re: Bug#540215: Introduce dh_checksums
Wouter Verhelst <firstname.lastname@example.org> writes:
> On Fri, Mar 12, 2010 at 05:16:55AM +0100, Goswin von Brederlow wrote:
>> Harald Braumann <email@example.com> writes:
>> > On Wed, Mar 10, 2010 at 03:32:14PM +0100, Wouter Verhelst wrote:
>> >> Having package.checksums be GPG-signed will take a significant change in
>> >> our infrastructure (buildd hosts, for instance, would need to have a way
>> >> to sign checksums files as well), so it's not going to happen
>> >> tomorrow.
>> That can be avoided by including a hash of the checksum file in the
>> Packages files.
> That doesn't help for the problem we're trying to fix here: having a
> path to a GPG signature from an individual binary on the hard disk,
> months or years after the package was installed.
> With your proposal, you lose the signatures once the package is out of
> the archive and you run 'apt-get update'.
Then don't do that. :)
I don't think signing the checksum file itself will be feasable as that
would alter the contents of the deb and change the checksums in the
changes files autobuilders send the admin for signing. It would break
the existing signing infrastructure for autobuilders. It would also
require running dpkg-genchanges again during signing or otherwise adjust
the checksums in the changes file.
But for packages no longer in the archive there is snapshot.debian.net
(or the official replacement).