Re: Bug#540215: Introduce dh_checksums
On Fri, Mar 19, 2010 at 09:14:13AM +0100, Frank Lin PIAT wrote:
> On Thu, 2010-03-18 at 12:39 +0100, Harald Braumann wrote:
> > On Thu, Mar 18, 2010 at 08:31:40AM +0100, Goswin von Brederlow wrote:
> > > Russ Allbery <firstname.lastname@example.org> writes:
> > > > Simon McVittie <email@example.com> writes:
> > >
> > > >> Most packages (in terms of proportion of the archive, in particular for
> > > >> architectures other than i386 and amd64) are built by a buildd, so each
> > > >> buildd would have to have a signing key that could sign the checksums
> > > >> file during build.
> > Self-contained packages, where the signature is included and installed
> > along with the checksum file, would have a lot of
> > advantages. You wouldn't need access to a lot of infrastructure just
> > to verify a signature. It would be very simple. It could be used for
> > packages, that are not part of Debian. For instance, I could produce a
> > package and send it to a friend and he could later use my key for
> > verification.
> Oh please no. Don't advocate sending individual .deb files, ever. This
> practice should be strongly discouraged. One brilliant part of Debian
> packaging *is* the APT infrastructure, some key features:
It's local software that's relevant for me and maybe 3 other people. I
don't think Debian would accept it in the archive. And I'm not
going to set up an APT infrastructure for this either, because it's
simply not needed.
> If people and ISV start publishing individual .deb, they (and we) will
> have to face the same problem as Windows/Mac/whatever had to solve: each
> application will need to embed a feature to "Check for update", etc.
These are exceptions, it's not like suddenly everyone starts
publishing their own debs. But why shouldn't an implementation also