On Fri, 4 Apr 2003, Colin Watson wrote:
> On Fri, Apr 04, 2003 at 05:05:09PM +0200, A Mennucc1 wrote:
> > I would like to sponsor a package of a friend
> >
> > the first time, I (of course) check the package
> > (lintian, install it, etc etc)
> >
> >
> > but what about the next times? what is the best practice?
> >
> >
> > 1) simply resign it, and upload.
> >
> > 2) rebuild it from source each time
>
> Never sign something you haven't built.
>
> > I would prefer the 1st , for saving my time, but I have problems.
> > Is there any easy way to strip away the signature of the sponsoree
> > and sign it with mine? there used to be a 'dpkg-signpackage'
> > command, but I can't find it anymore
>
> debsign, maybe?
Just to chime in, I never sponsor anything I haven't built myself either.
I recommend getting the sponsoree to send you only the orig.tar.gz, the
diff.gz, and the .dsc file. That way you'll know that the package builds
from source. Then build with:
dpkg-buildpackage -rfakeroot -us -uc
Once I'm satisfied with the build, lintian/linda checks, and that the
package installs/deinstalls ok, etc., then I sign with debsign. I just
dropped a script into ~/bin/ that should be called with the .changes
file(s) as the argument.
[EMAIL PROTECTED]:~$ cat bin/dsign
#!/bin/sh
debsign [EMAIL PROTECTED] $*
HTH,
tony
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
