Re: Detached tarball signatures vs. clearsigned checksum files
On Mon, 29 Jun 2015 at 15:13:44 +0100, Andrea Bolandrina wrote: how do I remove myself from this mailing list? There is no link at the bottom (or anywhere else)... Yes, not in the body but in the headers: List-Unsubscribe: http://lists.ucc.gu.uwa.edu.au/mailman/listinfo/dropbear, mailto:dropbear-requ...@ucc.asn.au?subject=unsubscribe -- Guilhem. signature.asc Description: Digital signature
Re: Detached tarball signatures vs. clearsigned checksum files
Hi, On Mon, 29 Jun 2015 at 21:27:23 +0800, Matt Johnston wrote: New Debian packages would be great. I've signed releases/dropbear-2015.67.tar.bz2.sig for the latest one so far, I'll keep more for future releases. […] Making a new pgp key has been on my todo list so there is now a Dropbear Release Key. (The old key is DSA so seemed to only make SHA1 signatures) That's great, thanks! While I'm at it, please also consider excluding mercurial dotfiles from the tarballs: diff --git a/release.sh b/release.sh index f377d0e..f2c6cad 100755 --- a/release.sh +++ b/release.sh @@ -27,7 +27,7 @@ if test -e $ARCHIVE; then exit 1 fi -hg archive $RELDIR || exit 2 +hg archive $RELDIR -X .hg* || exit 2 (cd $RELDIR autoconf autoheader) || exit 2 (Not sure if you left the ‘./debian’ directory on purpose, but if not you might want to exclude it as well.) Cheers, -- Guilhem. signature.asc Description: Digital signature
Re: Detached tarball signatures vs. clearsigned checksum files
On Mon, Jun 29, 2015 at 03:51:54PM +0200, Guilhem Moulin wrote: That's great, thanks! While I'm at it, please also consider excluding mercurial dotfiles from the tarballs: Do they cause a problem? At least hg_archival.txt is kind of useful to see which hg revision made the tarball. (Not sure if you left the ‘./debian’ directory on purpose, but if not you might want to exclude it as well.) I build debs myself for my own use so I'll leave it there. Cheers, Matt
Re: Mercurial dotfiles (Was: Detached tarball signatures vs. clearsigned checksum files)
On Mon, 29 Jun 2015 at 22:06:20 +0800, Matt Johnston wrote: On Mon, Jun 29, 2015 at 03:51:54PM +0200, Guilhem Moulin wrote: That's great, thanks! While I'm at it, please also consider excluding mercurial dotfiles from the tarballs: Do they cause a problem? At least hg_archival.txt is kind of useful to see which hg revision made the tarball. Nah I guess they are harmless; now that you say it hg_archival.txt can be useful indeed, and in fact lintian(1) only complains about .hgtags: https://lintian.debian.org/tags/source-contains-hg-tags-file.html -- Guilhem. signature.asc Description: Digital signature
Re: Detached tarball signatures vs. clearsigned checksum files
On Sun, Jun 28, 2015 at 06:02:01PM +0200, Guilhem Moulin wrote: I'm currently helping out packaging dropbear for Debian [0]. As mentioned on your webpage the drobpear package is currently rather outdated (even sid is lagging behind with 2014.65-1), and in order to reduce the delays between upstream and package releases I'd like to make the import of upstream tarballs easier. snip This would make importing further releases much easier :-) In a nutshell this is what I have in mind: ./dropbear-2015.67.tar.bz2 ./dropbear-2015.67.tar.bz2.sig (or .asc for armored files) ./SHA256SUM (optional) snip Also risking nitpicking, you could also modify your gpg(1) digest preferences to something stronger than SHA1 [1] :-P For instance: Hi Guilhem, New Debian packages would be great. I've signed releases/dropbear-2015.67.tar.bz2.sig for the latest one so far, I'll keep more for future releases. Making a new pgp key has been on my todo list so there is now a Dropbear Release Key. (The old key is DSA so seemed to only make SHA1 signatures) https://matt.ucc.asn.au/dropbear/releases/dropbear-key-2015.asc pub 4096R/F29C6773 2015-06-29 Key fingerprint = F734 7EF2 EE2E 07A2 6762 8CA9 4493 1494 F29C 6773 uid Dropbear SSH Release Signing m...@ucc.asn.au It's signed by the old key and my new personal key pub 4096R/C20BBAAC 2015-06-29 Key fingerprint = 1F1A F0BB EC7C F375 9FFA 1191 F498 3012 C20B BAAC uid Matt Johnston m...@ucc.asn.au sub 4096R/D5581050 2015-06-29 Cheers, Matt
Re: Detached tarball signatures vs. clearsigned checksum files
Hello, how do I remove myself from this mailing list? There is no link at the bottom (or anywhere else)... On Mon, Jun 29, 2015 at 3:06 PM, Matt Johnston m...@ucc.asn.au wrote: On Mon, Jun 29, 2015 at 03:51:54PM +0200, Guilhem Moulin wrote: That's great, thanks! While I'm at it, please also consider excluding mercurial dotfiles from the tarballs: Do they cause a problem? At least hg_archival.txt is kind of useful to see which hg revision made the tarball. (Not sure if you left the ‘./debian’ directory on purpose, but if not you might want to exclude it as well.) I build debs myself for my own use so I'll leave it there. Cheers, Matt