On Sun, May 01, 2011 at 06:24:00PM +0200, Stéphane Glondu wrote: > I was thinking of a request that would include a base suite (e.g. > squeeze, wheezy, or sid), files to drop in /etc/apt/sources.list.d (and > /etc/apt/preferences.d), and the key used to sign unofficial > repositories. Of course, the request itself would be signed (like > *.changes or *.commands files on ftp-master). Then a buildd accepting a > job would add the key with apt-key, drop the files in /etc/apt, upgrade > and launch the build as usual... the whole thing done in a throw-away > chroot, obviously (I use cowbuilder myself for that, but I heard that > sbuild had support for LVM snapshots). sbuild has support for all the clonable chroot types schroot offers (LVM snapshots, Btrfs snapshots, unionfs/aufs filesystem overlays and file-based sources such as compressed tar). AFAICT most of the buildds are now using LVM with snapshotting. If you do want to work on this, checkout sbuild.git. See etc/99builddsourceslist for the existing apt sources.list configuration used by the buildds. Could this be extended to do what you need? Otherwise see lib/Sbuild/ResolverBase.pm for the existing sources.list.d stuff. WRT the signing key, there would need to be some form of trust path or else the signature would be worthless. If packages are being uploaded to Debian infrastructure, and are under our control, can't we use a single signing key? We presumably verified the integrity and origin of the package on initital upload, so we should be able to use a generic signing key surely? If this is provided in a package then we can trigger automated installation of it. This could even be installed prior to downloading the source package; we don't currently do this (we use the already available archive signing keys), but we can add it. The main thing sbuild needs would be the information to add to sources.list, signing key packages etc. This would probably require passing from buildd, so probably more a question of how buildd will be configured and get the information to pass to sbuild. Regards, Roger -- .''`. Roger Leigh : :' : Debian GNU/Linux http://people.debian.org/~rleigh/ `. `' Printing on GNU/Linux? http://gutenprint.sourceforge.net/ `- GPG Public Key: 0x25BFB848 Please GPG sign your mail.
Description: Digital signature