On Fri, 4 Apr 2003, Colin Watson wrote: > On Fri, Apr 04, 2003 at 05:05:09PM +0200, A Mennucc1 wrote: > > I would like to sponsor a package of a friend > > > > the first time, I (of course) check the package > > (lintian, install it, etc etc) > > > > > > but what about the next times? what is the best practice? > > > > > > 1) simply resign it, and upload. > > > > 2) rebuild it from source each time > > Never sign something you haven't built. > > > I would prefer the 1st , for saving my time, but I have problems. > > Is there any easy way to strip away the signature of the sponsoree > > and sign it with mine? there used to be a 'dpkg-signpackage' > > command, but I can't find it anymore > > debsign, maybe?
Just to chime in, I never sponsor anything I haven't built myself either. I recommend getting the sponsoree to send you only the orig.tar.gz, the diff.gz, and the .dsc file. That way you'll know that the package builds from source. Then build with: dpkg-buildpackage -rfakeroot -us -uc Once I'm satisfied with the build, lintian/linda checks, and that the package installs/deinstalls ok, etc., then I sign with debsign. I just dropped a script into ~/bin/ that should be called with the .changes file(s) as the argument. [EMAIL PROTECTED]:~$ cat bin/dsign #!/bin/sh debsign [EMAIL PROTECTED] $* HTH, tony -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]