[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#540215: Introduce dh_checksums

On Thu, 2010-03-18 at 12:39 +0100, Harald Braumann wrote:
> On Thu, Mar 18, 2010 at 08:31:40AM +0100, Goswin von Brederlow wrote:
> > Russ Allbery <rra@debian.org> writes:
> > > Simon McVittie <smcv@debian.org> writes:
> >
> > >> Most packages (in terms of proportion of the archive, in particular for
> > >> architectures other than i386 and amd64) are built by a buildd, so each
> > >> buildd would have to have a signing key that could sign the checksums
> > >> file during build. 
> Self-contained packages, where the signature is included and installed
> along with the checksum file, would have a lot of
> advantages. You wouldn't need access to a lot of infrastructure just
> to verify a signature. It would be very simple. It could be used for
> packages, that are not part of Debian. For instance, I could produce a
> package and send it to a friend and he could later use my key for
> verification.

Oh please no. Don't advocate sending individual .deb files, ever. This
practice should be strongly discouraged. One brilliant part of Debian
packaging *is* the APT infrastructure, some key features:

 1. Security updates
 2. Bug fixes
 4. Dependency resolution
 5. Smoother dist-upgrades because:
 5a. The APT repository provides newer version, with updated
     dependencies (libraries transitions...)
 5b. The user don't have to visit each web site to dist-upgrade
 6. Single GPG key to manage (revocation ; update...)
 7. Single GPG key to trust (per repository)

If people and ISV start publishing individual .deb, they (and we) will
have to face the same problem as Windows/Mac/whatever had to solve: each
application will need to embed a feature to "Check for update", etc.

I am spending about 2 hours every two month on my parents computer, just
update all the damned Windows applications. Who really wants Debian to
go down that say.

I must say that if someone can't "setup" an APT repository to publish
packages, you should reconsider the installation of any package from
that person/ISV. (Reminder the Debian Policy has 135 pages, whom ever
can read and use it to create a proper package can also read a few
manpages to setup a repository). The same stand for RPM & co.

cat < /home/fpiat/2¢ >> debian-devel



Reply to: