Bug#876055: Environment variable handling for reproducible builds

On Sun 2017-09-17 16:26:25 -0700, Russ Allbery wrote: > I personally lean towards 2, which is consistent with what's in Policy > right now, but I can see definite merits in 3. I believe the reproducible > builds project is currently sort of doing 1, but I have a hard time seeing > how to make

Re: Upstream Tarball Signature Files

On Fri 2017-08-18 14:43:58 +0200, Mattia Rizzolo wrote: > I'd love if something did this for me, pretty much like I'd love > something like that does a pretty output to debian/upstream/signing-key > like > https://sources.debian.net/src/inkscape/0.92.2-1/debian/upstream/signing-key.asc/

Re: Upstream Tarball Signature Files

On Fri 2017-08-18 12:08:02 +0200, Guillem Jover wrote: > Hmmm, I've been thinking about this a bit, and perhaps it would be > better if dpkg-source auto-converted any .sig binary signature into > an .asc ASCII armored one when generating the source package (as long > as there is no pre-existing

Bug#844431: Reproducibility in Policy

Thanks for the proposal. I like it! A few nit-picks below: On Fri 2017-08-11 16:08:47 -0700, Sean Whitton wrote: > - a version of a source package unpacked at a given path; I don't like the idea of hard-coding a fixed build path requirement into debian policy. We're over 80% with

Bug#732445: debian-policy should encourage verification of upstream cryptographic signaturse

On Mon 2017-08-07 09:40:22 -0700, Russ Allbery wrote: > In an ideal world, we would have a documented set of metadata for finding > upstream releases, of which uscan is just one implementation, and document > that in Policy. In an ideal world, uscan would be able to verify signed git tags and

Bug#855320: developers-reference: Please do not recommend debrsign

Package: developers-reference Version: 3.4.18 Severity: normal Control: tags -1 patch Control: affects -1 devscripts Please do not mention debrsign in the developers-reference. The workflow encouraged by debrsign is less secure than the one we'd like to recommend for developers (it involves the

Bug#732445: debian-policy should encourage verification of upstream cryptographic signaturse

Control: clone 732445 -2 Control: reassign -2 developers-reference Control: retitle -2 developers-reference should encourage verification of upstream cryptographic signatures Control: retitle 732445 debian-policy should encourage verification of upstream cryptographic signatures Hi Bill-- On

Bug#732445: debian-policy should encourage verification of upstream cryptographic signaturse

On 03/24/2014 07:51 PM, Russ Allbery wrote: I'm curious -- why do we have two different supported paths? At least in my experience the ASCII-armored key is much easier to deal with, since you don't have to configure dpkg to allow binary files in the debian directory. I'm not sure that I see

Re: Bug#608719: Debian Policy about administrator X.509 certificate stores [was: Re: dovecot-common: please do not use /etc/ssl/certs for end-entity X.509 certificates (/etc/ssl/certs/dovecot.pem)]

On 05/30/2012 07:34 PM, Ben Hutchings wrote: Since we don't seem to have a specific directory for server certificates, I suppose it should be under /etc/dovecot. If anyone following this bug report is coming to debconf12, i've submitted a BoF proposal to try to get together and hammer out some

Re: Debian Policy about administrator X.509 certificate stores [was: Re: dovecot-common: please do not use /etc/ssl/certs for end-entity X.509 certificates (/etc/ssl/certs/dovecot.pem)]

On 04/09/2012 10:35 AM, Kurt Roeckx wrote: On Mon, Apr 09, 2012 at 09:52:44AM -0400, Daniel Kahn Gillmor wrote: On 04/07/2012 12:46 PM, Kurt Roeckx wrote: At least the certdata.txt file contains the information, you can edit in iceweasel/firefox. edit at runtime or at compile time? system

Re: Debian Policy about administrator X.509 certificate stores

On 04/02/2012 12:48 PM, Russ Allbery wrote: Bill Allombert bill.allomb...@math.u-bordeaux1.fr writes: Another issue is that no directories is provided for the system administrator to put their local certs. Of course they can use /etc/ssl/certs, but then the certs are drowned by the number.

Re: Debian Policy about administrator X.509 certificate stores

On 04/02/2012 03:54 PM, Russ Allbery wrote: You definitely want class 0 and class 2 certs hashed into the same directory under nearly all circumstances that don't involve being very paranoid about the CAs that you accept, since that allows the OpenSSL CAdir directive to work properly and is

Debian Policy about administrator X.509 certificate stores [was: Re: dovecot-common: please do not use /etc/ssl/certs for end-entity X.509 certificates (/etc/ssl/certs/dovecot.pem)]

[this discussion started on http://bugs.debian.org/608719] On 03/19/2012 11:14 PM, Ben Hutchings wrote: On Sun, 2011-01-02 at 18:20 -0500, Daniel Kahn Gillmor wrote: It looks like dovecot-common's postinst script creates a new X.509 certificate and places it in /etc/ssl/certs/dovecot.pem

Bug#473019: debian-policy: clarification needed for local builtin exception for /bin/sh

Package: debian-policy Version: 3.7.3.0 Severity: normal Tags: patch The scripts section of chapter 10 is somewhat ambiguous about whether declaring multiple local variables is acceptable or not: file:///usr/share/doc/debian-policy/policy.html/ch-files.html#s-scripts For example, is the

Bug#473019: debian-policy: clarification needed for local builtin exception for /bin/sh

Thanks for the quick response, Russ. On Thu 2008-03-27 16:16:31 -0400, Russ Allbery wrote: The intention when I originally wrote the text was to not allow declaring multiple variables with one local line, since at the time I was told that some shells didn't support this. I think your first