Ben Hutchings writes:
> On Tue, 2016-10-18 at 22:55 +0200, Ansgar Burchardt wrote:
>> Is there any documentation how this is supposed to work?
> Nothing comprehensive as yet. Where should it go?
It doesn't need to be comprehensive. I just would like to understand
what needs to happen.
>> What uses the signatures the archive is planned to write to dists/*?
> Scripts for preparing the source packages that build signed binaries.
> (Which will probably be included in those source packages, but don't
> have to be.)
How does building signed binaries work? That sounds like the signature
gets merged into the binaries dak signed in some way?
>> It looks wrong to bypass embargoed for the signatures. We avoid showing
>> which packages will get security updates in the future.
> That's a fair point. But they need to be findable by a maintainer who
> doesn't have access to embargoed packages in general. How about using
> a hash of the changelog?
Wouldn't the maintainer need access to the embargoed binaries as well as
the signatures to prepare the signed version?