On Wed, Nov 29, 2000 at 04:12:39PM -0800, Sean 'Shaleh' Perry wrote: > > Your UUID is the pkg+version+arch. From my viewpoint it's as simple as > > that. Maybe the official policy needs to be updated so that it is clear > > that any change to the binary packages, including just compile time changes, > > requires a version update? That way you could change your "sigs" as often > > as you'd like but you would know that a particular build was a particular > > build. > Ben neglected to talk about the signing policy .... > You compile your package and upload it (signed by you) to unstable. 6 months > later, when we are ready to release the Release Manager has a Release Key and > the packages themselves are signed by this key. Using md5sums fail here > because the contents of the deb have changed (the sig was added). The version > number should not be bumped because there is no packaging change. Good grief. This would require all non-rsync mirrors to redownload *ever* .deb in the newly released distribution in whole, and would require every user to redownload every package they've installed if they want to upgrade from foo-unstable to foo-stable. It'd also mean package signatures would not be checkable without special tools. Note also that a UUID is fakeable, so just because one .deb with that UUID is correctly signed, it doesn't mean some other .deb with the same UUID is actually the same. Cheers, aj -- Anthony Towns <aj@humbug.org.au> <http://azure.humbug.org.au/~aj/> I don't speak for anyone save myself. GPG signed mail preferred. ``Thanks to all avid pokers out there'' -- linux.conf.au, 17-20 January 2001
Attachment:
pgpUytTFiXSIy.pgp
Description: PGP signature