[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bits from the ftpmasters

On Mon, Feb 21, 2005 at 12:01:58AM +0100, Pierre Habouzit wrote:
> Le Dim 20 F?vrier 2005 22:42, Goswin von Brederlow a ?crit :
> > Pierre Habouzit <pierre.habouzit@m4x.org> writes:
> > >> It's a little OT, but I think that the upload mechanisms should be
> > >> enhanced a little to be able to *certify* that a package has been
> > >> reviewed by many DD. the Uploaders field is not signed, and is not
> > >> trustfully. I guess this should be a really interesting
> > >> information (even not for OT)
> > >
> > > enven not for NEW ... sorry
> >
> > Multiple signatures in the changes file? Does gpg allow that in a way
> > the existing scripts would still cope with? Maybe it is as simple as
> > that.
> AFAIK, there is a gpg sig in the .dsc too.
> but instead of signing the same files twice, I belive it is easier to 
> upload the changes and the dsc multiple time, or to change the .dsc 
> and .changes into directories containing multiple files.

Allow people to provide detached signatures of the .dsc which get included
as extra files in the .changes.  When the package (including the .changes)
gets uploaded, the signatures of the source package (in the form of the dsc)
can be verified and signified as OK by the archive tools.

So the process for getting a new package in (or even a new upload of an
existing package, if you wanted to get anal about it) would be for people to
review the source package, and then generate a detached signature for the
dsc if they were happy with it.  They then only need to send the signature
to the uploader, who includes it in the .changes at upload time.  Hence
package checking can be parallelised, too, with multiple people checking all
at once.

I don't *think* the package management tools would require any changes to
avoid barfing on these signatures, but the archive tools would, of course,
need to be modified to check signatures on newly uploaded packages.

NEW would still have to be processed by hand, though -- crypto notifications
still need to be sent, and the protection provided by two crap developers
working on a package isn't not that much better than one crap developer
working on a package.

- Matt

Attachment: signature.asc
Description: Digital signature

Reply to: