* Goswin von Brederlow ([EMAIL PROTECTED]) [031201 14:40]: > Instead of keeping extra files with the signature of the deb the > information could be stored inside the deb itself. Of cause the > signature can't be contained in the thing being signed. Instead the > signature would be added to the end or the ar archive and contain > signatures for all the files (uncompressed?) before it in the archive. > [...]
In principle I agree with your plan. Just a few suggestions what could (perhaps?) be also done: I would like it even more if there would be something along each package that identifies what was done to the deb-file since creation (see it as a something like a "passport" or "signature file", where each entry adds new information to the file). This would also have the advantage that a system administator could verify signatures without following who is accepted as a DD, and who is resigning - without a compromise of the debian server, verifying any deb with the archive key is enough. If there is however a suspecion of problems, he could always make stricter checks, without requiring more infos from the archive. (And of course, any administrator could also make checks stricter and demand a signature by a DD plus a signature by the archive script). More in detail this would mean that after building, the maintainer signs the md5sums, and a "build this package on <date>". After accepted by the archive, the archive script adds a line with something like "accepted by katie on <date> because of good signature of <Name> <KeyId>" to the top, and signs the whole thing. This has one major drawback: Either the deb-file must be changed during acceptance to the archive, or the "passport" must reside in an extra file. (And there is of course a "mixed mode" possible: Extra file at the moment, and after sarge is released, the files move within the deb.) Technical details should IMHO be discussed later, but a sample passport could look like: accepted by katie on Mon, 1 Dec 2003 20:34:58 +0000 because of good signature of DD, KeyID 0x01234567 build by DD on Sun, 30 Nov 2003 14:34:33 +0100 mgetty-voice_1.1.30-6_i386.deb 450b2b4ffa0be49b43f7358099117f7d control.tar.gz fb00a05d140ec3e830d6227f3fdd743d data.tar.gz Cheers, Andi -- http://home.arcor.de/andreas-barth/ PGP 1024/89FB5CE5 DC F1 85 6D A6 45 9C 0F 3B BE F1 D0 C5 D1 D9 0C
