* Wouter Verhelst ([EMAIL PROTECTED]) [031202 19:40]: > As much as I like this idea in principle, storing signatures inside > .debs has a serious problem: it won't work for us buildd maintainers.
Workability for the buildd maintainers is IMHO _certainly_ one important thing. > As I explain in my document on wanna-build (usually at > http://people.debian.org/~wouter/wanna-build-states, but due to some > problems with that machine temporarily currently at > http://www.grep.be/wanna-build-states.html too), buildd maintainers do > not manually log in to their autobuilder to sign each and every .changes > on its hard disk; instead, they extract the .changes file from the mails > of successful messages sent to them (and to [EMAIL PROTECTED], > which processes them into what people can look up on > http://buildd.debian.org), sign that, and send it back. In reply, the What checks do you do to such a package before signing? > So unless you have a suggestion that would solve this particular issue, > I'm afraid this idea won't work in practice. Two suggestions come to my mind. However, I can't judge how useful they are in reality. Signing by the buildd: The buildd could sign the debs by a buildd-key (one key for each buildd and each year). They could sign e.g. after they get the changes file back signed by the build admin. The debian archive scripts accepts packages signed by a buildd-key only if it is a binary package for this architecture, the key is valid (i.e. in the right year), and this package has been handed out to this autobuilder for building. Creating special helper scripts: It could be possible to extract a small file (more or less like the current changes file) out of each deb. So you could just sign this file, and sent it back to the buildd. The buildd would then extract the signature, and include it into the deb before upload. This would however need to change the way debsign works: Currently debsign makes a simple binary stream out of the members of the ar. Instead of this, debsign should create e.g. a md5sum-file (like the current changes, but "one level lower") out of the binaries, and then sign this file. It is possible to write a verify-script that could accept the old and the new verifying-method. Cheers, Andi -- http://home.arcor.de/andreas-barth/ PGP 1024/89FB5CE5 DC F1 85 6D A6 45 9C 0F 3B BE F1 D0 C5 D1 D9 0C