On Wed, 2017-04-12 at 07:50 +0000, Niels Thykier wrote: > Ben Hutchings: > > When implementing signed kernel packages, I wanted to make the signed > > image packages (built from linux-signed) take un-suffixed names so that > > existing procedures to install specific kernel versions would pick the > > signed packages, and users would be discouraged from installing > > unsigned packages. > > > > Hi, > > That makes sense to me. :) I particularly liked that part of the design > choice. :) > > > This has interacted poorly with dak's handling of 'auto-built' debug > > symbol packages, as those are built by src:linux but don't include the > > '-unsigned' suffix in their names. The debug symbol packages are added > > to the overrides file but are later automatically pruned, so that > > uploads that don't add new binary packages may still require NEW > > processing. > > It almost certainly does. Sometimes it does, sometimes it doesn't. [...] > > I think this has to be solved before the stable release. > > > > I am probably missing something here, but wouldn't it be possible to go > back to the original -dbg (as a "worst case" option) and defer these > changes to buster? Not saying I like it, I just want to know whether I > missed something. We could do, but do you think it's OK to do so for all architectures? Previously we did not, mainly due to concern about bloating the archive. > > Therefore I intend to rename the binary packages as follows with the > > next uploads to unstable: > > > > - src:linux builds linux-image packages without a name suffix > > - src:linux-signed builds linux-image packages with a '-signed' suffix > > - src:linux-latest builds linux-image meta-packages that depend on the > > '-signed' package where available > > > > This would undo the very nice property of the image packages being > signed "by default", wouldn't it? Yes, exactly. [...] > > (Also, if dak will not be signing packages in time for stretch, > > src:linux-signed must be removed from testing and the other packages > > changed accordingly. I *will* *not* personally sign kernels for a > > stable release.) > > > > Ben. > > > > Ok - I wouldn't want that responsibility either. If the signed ones are > easy to re-implement, perhaps just switch now and add a blocker bug to > #820036 filed against linux. I'm not sure which switch you're referring to here. > That way, testing is closer to an > release-ready state, which is generally what we want right now. Ben. -- Ben Hutchings I'm not a reverse psychological virus. Please don't copy me into your sig.
Attachment:
signature.asc
Description: This is a digitally signed message part