[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

debsigs - status and plans?

[ Added Peter on CC in case he's not reading the -dpkg list ]

Hi folks,

I'm working on a project where inline signatures on Debian-style
packages would be very useful, so I've started playing with debsigs
and debsig-verify. Both packages *appear* to be maintained, with
uploads during the Bullseye development cycle. But right now things
don't work with gpg2, as shipped in Buster onwards (#988368,
#988646). I'm also very surprised that debsigs doesn't have any
verification code (#988369) - I'd always expect tools like this to be
able to verify their own output!

AIUI there was a plan to integrate signing more closely with dpkg. Is
that likely to happen at some point, and if so will it be compatible
with what's already shipped? If so, I may be able to help with the
existing tools. Alternatively, I may need to develop a parallel
implementation for my project, and obviously I'd like to stay
compatible if that's possible.

Can you give me some advice here please?

Steve McIntyre, Cambridge, UK.                                steve@einval.com
< Aardvark> I dislike C++ to start with. C++11 just seems to be
            handing rope-creating factories for users to hang multiple
            instances of themselves.

Reply to: