I'm very interested in helping with this (at least as a tester). I've been playing around with a lot of the related tools lately, anyway. Maybe an elegant solution can be found to deal with the transition period. I currently just use a straight dpkg-buildpackage command. Because it can't sign the package it gives me a beep. I don't mind that - it lets me know that the build is finished :)
On 1 Jul 1998, James Troup wrote: > Date: 01 Jul 1998 17:07:38 +0100 > From: James Troup <[EMAIL PROTECTED]> > To: [email protected] > Subject: Re: Replacing/phasing out PGP (was Re: Idea for non-free > organization) > Resent-Date: 1 Jul 1998 16:07:45 -0000 > Resent-From: [email protected] > Resent-cc: recipient list not shown: ; > > [EMAIL PROTECTED] writes: > > > How difficult would it be to extend our infrastructure (new maintainer > > acceptance; developer-keyring; dpkg-dev) with support for gpg? > > The debian-keyring package (to be uploaded RSN (honest)) contains a > debian-keyring.gpg. If you want to generate a GNUpg key and send it > to [EMAIL PROTECTED], it'll be added. > > New maintainer is not a problem; as soon as GNUpg is in place, we'll > just insist maintainers use it (as opposed to insisting they use > non-free software). > > dpkg-dev and dinstall are the only things that need to be fixed. > dinstall is trivial, it just has to handle gnupg signed packages. > dpkg-dev is more complex; does gnupg become the default signing method > in unstable? If so we should change the pgp-command in > dpkg-buildpackage to default to gpg. > > But this will bite lots of current maintainers who try to build > packages and get flummoxed when build/dpkg-buildpackage starts moaning > "gpg command not found" and they then have to be told to do -ppgp. If > pgp stays as default we have to tell all new maintainers to use -pgpg > because their PGP keys won't be in the Debian keyring. It's not a > nice situation, and I would like to hear what others think. > > Either way, I seriously detest the use of the non-free PGP in Debian, > it's rank hypocrisy and it has already lost us at least one new > maintainer, and I think now that we have GNUpg it would be > unbelievably Wrong not to use it in place of PGP. IMO, either by > slink (if we go to FHS in slink [i.e. every package has to be > reuploaded anyway]) or in 2.2/whatever, you should be able to verify a > Debian package without using the non-free PGP. This means forcing all > developers to generate gnupg keys; I don't personally see this as > problem (again, it's a case of forcing free software onto developers, > so we don't have to force non-free software onto our users and new > developers), but I suspect some people will. > > -- > James > ~Yawn And Walk North~ http://yawn.nocrew.org/ > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
