Re: Experimental gaim_1.1.1-2 for Alpha
On Thu, Jan 06, 2005 at 12:55:14PM +, Henning Makholm wrote: Scripsit Steve Langasek [EMAIL PROTECTED] On Wed, Jan 05, 2005 at 11:47:57PM +, Henning Makholm wrote: Does it also apply to signing .dsc's? The archive scripts won't act on an uploaded .dsc without an accompanying .changes file, so this is not an issue. Moreover, signing your .dsc provides a trust path to your source code I think that is what I meant: If I sign a .dsc that is not intended to be uploaded, is there a risk that this trust path ends up in the archive because somebody else constructs a .changes to put them in? The somebody else would have to be a DD, but the signature the general public [1] would see in aptable source repositories would be mine. I believe katie does check the sigs on .dscs, which requires that the sig be from a DD. Even if there were a bug in this check, I wouldn't worry overly much, *you* wouldn't be the one in trouble for uploading a package in that state ;P -- Steve Langasek postmodern programmer signature.asc Description: Digital signature
Re: Experimental gaim_1.1.1-2 for Alpha
Scripsit Steve Langasek [EMAIL PROTECTED] On Wed, Jan 05, 2005 at 11:47:57PM +, Henning Makholm wrote: Does it also apply to signing .dsc's? The archive scripts won't act on an uploaded .dsc without an accompanying .changes file, so this is not an issue. Moreover, signing your .dsc provides a trust path to your source code I think that is what I meant: If I sign a .dsc that is not intended to be uploaded, is there a risk that this trust path ends up in the archive because somebody else constructs a .changes to put them in? The somebody else would have to be a DD, but the signature the general public [1] would see in aptable source repositories would be mine. Or do the archive scripts check that the key that signed the .dsc is the same that signed the .changes accompanying them? [1] People with suffientent knowledge would know to look up the .changes in the PTS or the mailing list archives, but it is not generally distributed afaiu. -- Henning Makholm Ambiguous cases are defined as those for which the compiler being used finds a legitimate interpretation which is different from that which the user had in mind.
Re: Experimental gaim_1.1.1-2 for Alpha
On Wed, 2005-01-05 at 23:18 +, Martin Michlmayr wrote: Greg doesn't appear to be a Debian developer so neither of this applies. The first paragraph is good advice in general, though. Apologies for not expounding on this point. Any further deeds done this way, will be disclaimed that I am not a Debian Developer. I just wish there was Debian Hardware/Software Vendor representative or something. So we could give blessings/help/advice/set-of-hands helping with ISVs and IHVs, understand the reasons behind Debian and how to USE the infrastructure to their advantage. Showing them the methods that make administrative things in Debian a piece of cake. And why they should support it, from both policy and quality standpoints. I guess, you would call these Sales Representatives or Systems Engineering Sales Support or Pre-Sales Technical Support or something in the Commercial Government Sectors. -- greg, [EMAIL PROTECTED] The technology that is Stronger, better, faster: Linux signature.asc Description: This is a digitally signed message part
Re: Experimental gaim_1.1.1-2 for Alpha
On Wed, 2005-01-05 at 08:55 -0500, Greg Folkert wrote: I have built this package for alpha and it does indeed work. I have bundled it up in a tgz making it easier to D/L. But all the files are there as well for individual inspection. Along with the md5sums http://www.gregfolkert.net/experimental/ not an archive by any means, but available at your discretion. BTW, someone pointed out I didn't sign the .changes file... ummm oops. First real try at building the packages for general consumption. My bad. -- greg, [EMAIL PROTECTED] The technology that is Stronger, better, faster: Linux signature.asc Description: This is a digitally signed message part
Re: Experimental gaim_1.1.1-2 for Alpha
On Wed, Jan 05, 2005 at 09:27:50AM -0500, Greg Folkert wrote: On Wed, 2005-01-05 at 08:55 -0500, Greg Folkert wrote: I have built this package for alpha and it does indeed work. I have bundled it up in a tgz making it easier to D/L. But all the files are there as well for individual inspection. Along with the md5sums http://www.gregfolkert.net/experimental/ not an archive by any means, but available at your discretion. BTW, someone pointed out I didn't sign the .changes file... ummm oops. First real try at building the packages for general consumption. My bad. Be careful: in general, you should *not* sign changes files for packages that are not intended to be included in the Debian archive. Once the changes file is signed, anyone can upload your package to the Debian archive whether that was your intent or not. It's trivial to ensure your changes file will be rejected by katie, by setting the 'distribution' field in your changelog to an unknown value. In this case, your package would also be rejected because it's a sourceful upload of a package that already has source in the archive; but if this had not been the case, you might have found yourself blamed for whatever bugs this build introduced. In any case, perhaps this particular build should have been a binary-only upload to experimental, to join the i386 build already there? Cheers, -- Steve Langasek postmodern programmer signature.asc Description: Digital signature
Re: Experimental gaim_1.1.1-2 for Alpha
* Steve Langasek [EMAIL PROTECTED] [2005-01-05 15:12]: Be careful: in general, you should *not* sign changes files for packages that are not intended to be included in the Debian archive. Once the changes file is signed, anyone can upload your package to the Debian archive whether that was your intent or not. ... In any case, perhaps this particular build should have been a binary-only upload to experimental, to join the i386 build already there? Greg doesn't appear to be a Debian developer so neither of this applies. The first paragraph is good advice in general, though. -- Martin Michlmayr http://www.cyrius.com/
Re: Experimental gaim_1.1.1-2 for Alpha
Scripsit Martin Michlmayr [EMAIL PROTECTED] * Steve Langasek [EMAIL PROTECTED] [2005-01-05 15:12]: Be careful: in general, you should *not* sign changes files for packages that are not intended to be included in the Debian archive. Once the changes file is signed, anyone can upload your package to the Debian archive whether that was your intent or not. Greg doesn't appear to be a Debian developer so neither of this applies. But if he later *does* become a DD, the archive scripts might retroactively accept his old changes file if somebody uploaded it, wouldn't they? (I'd be surprised if they checked the creation date of the signature, but things sometimes do surprise me). Here I ignore the fact that a newer version would probably be in the archive by then, for this particular package at least. The first paragraph is good advice in general, though. Does it also apply to signing .dsc's? -- Henning MakholmHe who joyfully eats soup has already earned my contempt. He has been given teeth by mistake, since for him the intestines would fully suffice.
Re: Experimental gaim_1.1.1-2 for Alpha
On Wed, Jan 05, 2005 at 11:47:57PM +, Henning Makholm wrote: Scripsit Martin Michlmayr [EMAIL PROTECTED] * Steve Langasek [EMAIL PROTECTED] [2005-01-05 15:12]: Be careful: in general, you should *not* sign changes files for packages that are not intended to be included in the Debian archive. Once the changes file is signed, anyone can upload your package to the Debian archive whether that was your intent or not. Greg doesn't appear to be a Debian developer so neither of this applies. But if he later *does* become a DD, the archive scripts might retroactively accept his old changes file if somebody uploaded it, wouldn't they? (I'd be surprised if they checked the creation date of the signature, but things sometimes do surprise me). Here I ignore the fact that a newer version would probably be in the archive by then, for this particular package at least. In this case, I merely failed to realize Greg wasn't a DD. Both you and Martin are correct. The first paragraph is good advice in general, though. Does it also apply to signing .dsc's? The archive scripts won't act on an uploaded .dsc without an accompanying .changes file, so this is not an issue. Moreover, signing your .dsc provides a trust path to your source code (in the case where you're making sourceful changes -- Greg did not, so probably shouldn't need to distribute a .dsc at all), so this is a good idea. -- Steve Langasek postmodern programmer signature.asc Description: Digital signature
