On Fri, 2010-03-19 at 17:40 +0100, Wouter Verhelst wrote: > On Thu, Mar 18, 2010 at 04:52:07PM -0700, Russ Allbery wrote: > > You add an additional ar member that contains the signed checksums of all > > of the files in data.tar.gz, possibly another additional member that > > contains the signed checksums for control.tar.gz, or you document some > > convention so that you can combine both into the same signed checksum > > document. > > That'd work pretty well, indeed. It would also have the advantage of > making it theoretically possible to reverse the addition of the > signatures again, should one want to re-verify against the original > .changes file for some reason. That's of course assuming that the > combination of "ar a" and "ar d" in whatever way dpkg does that is > idempotent, but I don't see why it couldn't be. > > And as you say, this can be implemented in dak. That would have the > advantage of not requiring keys on the buildds. > > So now that it's been reduced to a technical problem, who's going to do > the implementation?
Yes, this solution is elegant. It shouldn't break anything, it is self-contained in the package. > I'm prepared to look at a dpkg patch, but Python > just does not work for me. My priority is the md5sum replacement, but I'll be happy to help if/when I can. Regards, Franklin -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1269031779.4361.259.ca...@solid.paris.klabs.be