[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#247824: /usr/bin/dpkg-buildpackage: please consider using dpkg-sig instead of debsign

tags 112824 - patch
tags 225318 - patch
merge 112824 225318 247824

On Fri, 2004-05-07 at 13:18 +0200, Marc Haber wrote:

> for a while now, the package dpkg-sig has been available to sign
> packages. dpkg-sig is vastly superior over debsign because:
>   - it creates a signature on the binary package as well
>   - it caches the passphrase, only requiring the maintainer to type
>     the passphrase once
Scary ... what security considerations does it undertake for the region
of memory in which it stores the passphrase?

> Please consider adding an option to dpkg-buildpackage that allows
> usage of dpkg-sig instead of debsign.
debsign is part of dpkg, implementing the standard signed changes+dsc
behaviour.  Until dpkg fully supports signing of binary packages,
including verification, I don't think it's appropriate to do this just

Have you ever, ever felt like this?
Had strange things happen?  Are you going round the twist?

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: