Guillem Jover: > Control: severity -1 wishlist > > On Thu, 2016-11-10 at 19:49:03 +0100, Ximin Luo wrote: >> Package: dpkg-dev >> Version: 1.18.13 >> Severity: important > >> We would like dpkg-buildpackage to clearsign the buildinfo files that are >> created. This allows them to be uploaded to services similar to keyservers, >> for auditing and attestation purposes, that may be run independently of the >> FTP archive. > > Yeah I know, and I had noticed this already just after the upload, but > just notced it down with the other things I'd like to discuss > regarding the buildinfo files, which I'll try to start this week, once > the current uploads settle down a bit. > >> I'm happy to write this patch myself. That will take a little bit more time >> - I >> wanted to file this bug report early to check that you're not opposed to this >> idea - and before too many other tools start assuming that buildinfo files >> are >> unsigned. I think this should not be the case by default, just as you rarely >> see an unsigned .dsc being distributed. >> >> There would also be a -ub option added, along the same lines as -us and -uc. >> Then debsign from devscripts will also need to be updated, and I'll be happy >> to >> write the patch for this too. > > I'm planning on finishing up and merging the dpkg-sign branch, so this > would be probably wasteful. I'll include the necessary changes there. >
Thanks for the quick reply! Is dpkg-sign meant to obsolete debsign? If not, I can work on the latter in the meantime. I see dpkg-sign currently has a `-ub` option there that conflicts with what I suggested above: https://git.hadrons.org/cgit/debian/dpkg/dpkg.git/commit/?h=pu/dpkg-sign&id=598ae495a149ecacc8e319934a67d7f5a01c498c and debsign should be consistent with whatever the eventually-decided options are. In any case, feel free to give me tasks to do for this! That is what I am being paid for after all. :) X -- GPG: ed25519/56034877E1F87C35 GPG: rsa4096/1318EFAC5FBBDBCE https://github.com/infinity0/pubkeys.git
