[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]


* Roger Leigh (rleigh@codelibre.net) [110501 19:04]:
> WRT the signing key, there would need to be some form of trust path
> or else the signature would be worthless.  If packages are being
> uploaded to Debian infrastructure, and are under our control, can't
> we use a single signing key?  We presumably verified the integrity
> and origin of the package on initital upload, so we should be able to
> use a generic signing key surely?  If this is provided in a package
> then we can trigger automated installation of it.

I'd prefer the form that we currently do for e.g. backports: We import
the key on chroot creation, see APT_KEYS in 99builddsourceslist.
Advantage: we don't need to touch chroots if keys changes.

> The main thing sbuild needs would be the information to add to
> sources.list, signing key packages etc.  This would probably require
> passing from buildd, so probably more a question of how buildd will
> be configured and get the information to pass to sbuild.

buildds already receive a yaml-file from wanna-build, so part of the
question is easy answered.

For testing purposes, one could make an easy wanna-build with
something like:

#! /bin/bash

if echo $* | grep needs-build -q; then
    echo "devel/package_version [optional:out-of-date]"
    exit 0;

cat <<EOF
- package:
    - status: ok
    - pkg-ver: package_version
    - key1: value1 (etc)

(should be enough for handing out packages to buildd, replacing all
package by the package name, and version by the package version)


Reply to: