[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Adding support for LZIP to dpkg, using that instead of xz, archive wide

On 2015-06-18 02:31:57 +0000 (+0000), Clint Adams wrote:
> No, in this particular case, upstream IS releasing source tarballs
> and the packagers are refusing to use them for reasons I find
> incomprehensible.

Well, for some of the packages in question where I'm involved
upstream, we still aren't providing PGP-signatures for some of those
tarballs (not even PGP-signed checksum lists). Some are uploaded to
Launchpad and a release manager uploads a signature along with it,
some are auto-published to other places by our build systems and
sometimes a release manager sends a signed release announcement to a
few mailing lists hopefully including strong checksums of the
tarballs, but there are plenty where CI automation is building the
tarballs (based on signed tags in a VCS of course) and uploading
them without a corresponding signature.

I'm planning to rectify that to some extent by having trusted
systems in our build infrastructure create and upload signatures
with them, but depending on a package maintainers trust preferences
that may not be seen as a strong enough attestation. On the other
hand, I run Debian testing and unstable on a lot of systems and have
a fairly strong degree of faith in the automatic archive signing
keys... we'd definitely be following similar measures to cross-sign,
secure and rotate our automatic tarball signing keys.
Jeremy Stanley

Attachment: signature.asc
Description: Digital signature

Reply to: