On Thu, 2010-03-18 at 12:39 +0100, Harald Braumann wrote: > On Thu, Mar 18, 2010 at 08:31:40AM +0100, Goswin von Brederlow wrote: > > Russ Allbery <r...@debian.org> writes: > > > Simon McVittie <s...@debian.org> writes: > > > > >> Most packages (in terms of proportion of the archive, in particular for > > >> architectures other than i386 and amd64) are built by a buildd, so each > > >> buildd would have to have a signing key that could sign the checksums > > >> file during build. > > Self-contained packages, where the signature is included and installed > along with the checksum file, would have a lot of > advantages. You wouldn't need access to a lot of infrastructure just > to verify a signature. It would be very simple. It could be used for > packages, that are not part of Debian. For instance, I could produce a > package and send it to a friend and he could later use my key for > verification.
Oh please no. Don't advocate sending individual .deb files, ever. This practice should be strongly discouraged. One brilliant part of Debian packaging *is* the APT infrastructure, some key features: 1. Security updates 2. Bug fixes 4. Dependency resolution 5. Smoother dist-upgrades because: 5a. The APT repository provides newer version, with updated dependencies (libraries transitions...) 5b. The user don't have to visit each web site to dist-upgrade 6. Single GPG key to manage (revocation ; update...) 7. Single GPG key to trust (per repository) If people and ISV start publishing individual .deb, they (and we) will have to face the same problem as Windows/Mac/whatever had to solve: each application will need to embed a feature to "Check for update", etc. I am spending about 2 hours every two month on my parents computer, just update all the damned Windows applications. Who really wants Debian to go down that say. I must say that if someone can't "setup" an APT repository to publish packages, you should reconsider the installation of any package from that person/ISV. (Reminder the Debian Policy has 135 pages, whom ever can read and use it to create a proper package can also read a few manpages to setup a repository). The same stand for RPM & co. cat < /home/fpiat/2ยข >> debian-devel Regards, Franklin -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1268986453.3488.183.ca...@solid.paris.klabs.be