[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug #340306: Specification draft for signed debs

On Mon, 11 Jun 2012 11:26:19 +0200 (CEST)
niels@thykier.net (Niels Thykier) wrote:

>  * Role (required, simple).  Defines the signers relation to the
>    package.  It must be one of the following values:
>     - "builder": The signer built the package.  At most one
>       signature file can use this role.
>     - "reviewer": The signer reviewed the package.  This role can
>       be used in any number of signature files.
>     - "vendor": The signer is a vendor (re-)distributing the
>       package.  The name of the vendor will be in the Vendor
>       field.  This role can be used in any number of signature
>       files (assuming the vendors import the deb "as-is" and
>       simply resign it).
>   * Vendor (special, simple).  Contains the name of the Vendor
>     - Field is mandatory if Role has the value "vendor", otherwise
>       it should be absent.
>     - Example value: Debian
>   * Vendor-URI (optional, simple).  URI to the vendor's website or
>     documentation.
>     - Should be omitted if Vendor is not present.
>     - Example value: http://debian.org

> Open question: should we allow implementation specific fields with the
> usual "X-<field>" notation (or something similar)?

That would be useful for Emdebian and other derivatives who need to
preserve the original builder information and then sign as itself as a
builder (effectively a rebuilder) because we modify the data.tar.gz and
control.tar.gz without changing the md5sums of the compiled files
within the data.tar.gz. (We simply remove files & compress
debian/copyright). Preserving the original builder metadata helps
demonstrate binary compatibility with the original Debian package as
the signature file for that builder would have to be removed - it's now
a broken sig.

If there is to be only one builder role, the additional fields can used
to store the details of the original builder role, effectively
"transferring" the builder role to Emdebian and storing the old value
as another field. Reviewer doesn't really fit.

X-DebianBuilder: the Signer details from the original Debian package
X-DebianDate: the date the Debian package was signed.


Neil Williams

Attachment: pgp5aoH1sDeHM.pgp
Description: PGP signature

Reply to: