Helping Arch Linux with package signing
I'm sure everyone has read the following from LWN [1]. I was just thinking that Debian has had package signing for a while, and the top users of the PGP Strong Set [2] (maybe even most of it) are Debian developers. Seeing as though Debian has such a strong history with OpenPGP and package signing, I was wondering if we could help them along. 1: https://lwn.net/SubscriberLink/434990/4c611307c60a7ae1/ 2: http://pgp.cs.uu.nl/plot/ Dan McGee, the lead Arch Linux developer, has stated [3] that he is willing to accept patches getting OpenPGP implemented into Pacman and the rest of Arch. So, given the history of package signing with Debian, I'm wondering if there is anything we can do as a project to help another project out. Be it documentation, how-tos, patches, whatever. It appears to be open for discussion [4], and even though I'm a hardcore Debian user through and through, it would be great to see another GNU/Linux operating system step up in the security ranks. 3: https://lwn.net/Articles/435251/ 4: https://bugs.archlinux.org/task/5331 If I'm way out of line, then let me know. Thoughts? P.S.: I would have posted this to -devel, but I didn't know if it would be appropriate or not, and I figured many developers might be on this list anyway, and if necessary, could cross-post it. -- . o . o . o . . o o . . . o . . . o . o o o . o . o o . . o o o o . o . . o o o o . o o o signature.asc Description: Digital signature
Package signing
I am creating a local debian lenny pool in which I need to add customized debian lenny packages. For good practice do i need to sign the modified packages that I modified? If yes how do i do it? Thanks Paras.
Re: Package signing
* Paras pradhan [EMAIL PROTECTED] 14.11.2008 I am creating a local debian lenny pool in which I need to add customized debian lenny packages. For good practice do i need to sign the modified packages that I modified? If yes how do i do it? Hello Paras, I have here also a local repository with some packages and I only sign the complete repository, not the particular packages. I have a small script for doing this. - #!/bin/bash cd repository dpkg-scanpackages ./ /dev/null Packages apt-ftparchive release . Release gpg -abs -o Release.gpg Release - I have added my GPG-key with apt-key to the trusted keys and now I'm no more blamed with the message These packages are from an untrusted source ... This is not the best way, but it's enough for me. Hth Michael -- Boost system speed by 200% - DEL C:WINDOWS*.* signature.asc Description: Digital signature
Archive (or package) signing
I've built a small (3GB) archive for (internal) use in my mixed testing/unstable system (since it tends to be more stable that way). The new version of apt that drifted into testing keeps giving me warnings about my packages. Could somebody give me a link on how to (a how-to would be nice) build signed packages or archives for people who maintain their private archive of Debian packages? Also, while aptitude or apt-get install complains about binary packages coming from an untrusted or unauthenticated source, there doesn't seem to be a similar warning mechanism to handle source packages download via apt-get source. Is this by design or is there something broken in my apt set-up? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
