* Roger Leigh (firstname.lastname@example.org) [110501 19:04]:
> WRT the signing key, there would need to be some form of trust path
> or else the signature would be worthless. If packages are being
> uploaded to Debian infrastructure, and are under our control, can't
> we use a single signing key? We presumably verified the integrity
> and origin of the package on initital upload, so we should be able to
> use a generic signing key surely? If this is provided in a package
> then we can trigger automated installation of it.
I'd prefer the form that we currently do for e.g. backports: We import
the key on chroot creation, see APT_KEYS in 99builddsourceslist.
Advantage: we don't need to touch chroots if keys changes.
> The main thing sbuild needs would be the information to add to
> sources.list, signing key packages etc. This would probably require
> passing from buildd, so probably more a question of how buildd will
> be configured and get the information to pass to sbuild.
buildds already receive a yaml-file from wanna-build, so part of the
question is easy answered.
For testing purposes, one could make an easy wanna-build with
if echo $* | grep needs-build -q; then
echo "devel/package_version [optional:out-of-date]"
- status: ok
- pkg-ver: package_version
- key1: value1 (etc)
(should be enough for handing out packages to buildd, replacing all
package by the package name, and version by the package version)