Ben Hutchings writes: > On Tue, 2016-10-18 at 22:55 +0200, Ansgar Burchardt wrote: >> Is there any documentation how this is supposed to work? > > Nothing comprehensive as yet. Where should it go?
It doesn't need to be comprehensive. I just would like to understand what needs to happen. >> What uses the signatures the archive is planned to write to dists/*? > > Scripts for preparing the source packages that build signed binaries. > (Which will probably be included in those source packages, but don't > have to be.) How does building signed binaries work? That sounds like the signature gets merged into the binaries dak signed in some way? >> It looks wrong to bypass embargoed for the signatures. We avoid showing >> which packages will get security updates in the future. > > That's a fair point. But they need to be findable by a maintainer who > doesn't have access to embargoed packages in general. How about using > a hash of the changelog? Wouldn't the maintainer need access to the embargoed binaries as well as the signatures to prepare the signed version? Ansgar
