On Thu, 24 Nov 2005, Anthony Towns wrote: > On Wed, Nov 23, 2005 at 04:37:05PM -0200, Henrique de Moraes Holschuh wrote: > > On Thu, 24 Nov 2005, Anthony Towns wrote: > > > Personally, I think it's cryptographic snake oil, at least in so far > > A signed deb has a seal of procedence and allows one to track the path it > > made through the system, and who changed it. > > That's what the .changes file is for.
Well, assuming .changes is not snake-oil, then why should in-deb sigs be called snake-oil? After all, according to you they essentially do the same job. Still, .changes file do not carry all the information in-deb sigs do (although they could, if we sign the .changes files more than once -- but changes are DAK will croak on that too). They're not stored along with the .debs anywhere (we could change that too, I suppose... but I doubt one extra file per source in the archive will be welcome). They are *far* from being as simple to handle as in-deb signatures. Not to mention that doing the inverse path (from .deb to .changes) is far more complicated than using in-deb sigs, and is only possible in fact if you either always respect some sort of naming convention to go from source package to .changes (and this *IS* a kludge), or if you read all .change files hunting for the file you want in the MD5s. > Uh, packages not uploaded to the official Debian archive can do whatever > they want. Sure. But I for one won't be building all debs twice, and many others won't either. And proper support for in-deb signatures means added functionality in a lot of other utilities that won't happen if Debian doesn't use in-deb signatures, etc. So, it makes a damn big difference if the Debian archive accepts signed debs or not. -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]