[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Resolving the kernel debug symbols vs signing problem



When implementing signed kernel packages, I wanted to make the signed
image packages (built from linux-signed) take un-suffixed names so that
existing procedures to install specific kernel versions would pick the
signed packages, and users would be discouraged from installing
unsigned packages.

This has interacted poorly with dak's handling of 'auto-built' debug
symbol packages, as those are built by src:linux but don't include the
'-unsigned' suffix in their names.  The debug symbol packages are added
to the overrides file but are later automatically pruned, so that
uploads that don't add new binary packages may still require NEW
processing.  I think this has to be solved before the stable release.

Therefore I intend to rename the binary packages as follows with the
next uploads to unstable:

- src:linux builds linux-image packages without a name suffix
- src:linux-signed builds linux-image packages with a '-signed' suffix
- src:linux-latest builds linux-image meta-packages that depend on the
  '-signed' package where available

One alternative could be to build duplicate debug symbol packages in
src:linux and src:linux-signed, but that's a big waste of archive space
and requires a maintainer to upload the debug symbol packages for one
architecture (over 500 MiB per flavour) whenever there's an ABI bump.

Please let me know if you have a preference or an alternate solution.

(Also, if dak will not be signing packages in time for stretch,
src:linux-signed must be removed from testing and the other packages
changed accordingly.  I *will* *not* personally sign kernels for a
stable release.)

Ben.

-- 
Ben Hutchings
Never attribute to conspiracy what can adequately be explained by
stupidity.

Attachment: signature.asc
Description: This is a digitally signed message part


Reply to: