[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: New field proposed, UUID



On Wed, Nov 29, 2000 at 04:12:39PM -0800, Sean 'Shaleh' Perry wrote:
> > Your UUID is the pkg+version+arch.  From my viewpoint it's as simple as
> > that.  Maybe the official policy needs to be updated so that it is clear
> > that any change to the binary packages, including just compile time changes,
> > requires a version update?  That way you could change your "sigs" as often
> > as you'd like but you would know that a particular build was a particular
> > build.
> Ben neglected to talk about the signing policy ....
> You compile your package and upload it (signed by you) to unstable.  6 months
> later, when we are ready to release the Release Manager has a Release Key and
> the packages themselves are signed by this key.  Using md5sums fail here
> because the contents of the deb have changed (the sig was added).  The version
> number should not be bumped because there is no packaging change.

Good grief. This would require all non-rsync mirrors to redownload *ever*
.deb in the newly released distribution in whole, and would require
every user to redownload every package they've installed if they want to
upgrade from foo-unstable to foo-stable. It'd also mean package signatures
would not be checkable without special tools.

Note also that a UUID is fakeable, so just because one .deb with that
UUID is correctly signed, it doesn't mean some other .deb with the same
UUID is actually the same.

Cheers,
aj

-- 
Anthony Towns <aj@humbug.org.au> <http://azure.humbug.org.au/~aj/>
I don't speak for anyone save myself. GPG signed mail preferred.

     ``Thanks to all avid pokers out there''
                       -- linux.conf.au, 17-20 January 2001

Attachment: pgpBaxU9HTJxq.pgp
Description: PGP signature


Reply to: