* Goswin von Brederlow ([EMAIL PROTECTED]) [031202 04:55]: > Andreas Barth <[EMAIL PROTECTED]> writes: > > Technical details should IMHO be discussed later, but a sample > > passport could look like: > > > > accepted by katie on Mon, 1 Dec 2003 20:34:58 +0000 because of good > > signature of DD, KeyID 0x01234567 > > build by DD on Sun, 30 Nov 2003 14:34:33 +0100 > > mgetty-voice_1.1.30-6_i386.deb > > 450b2b4ffa0be49b43f7358099117f7d control.tar.gz > > fb00a05d140ec3e830d6227f3fdd743d data.tar.gz
> All debs would contain the same string "accepted by katie on * because > of good signature of DD, KeyID *". Thats a lot of bytes wasted. There is a mere misunderstanding. If you singned the deb, katie would write "accepted by katie on * because of good signature of Goswin von Brederlow <[EMAIL PROTECTED]>, KeyID 0x...". And of course, this string should be made shorter, but that's something we can at the moment leave for later discussion IMHO. It could e.g. be: "katie: 2003-...: sig ok, Goswin von Brederlow <[EMAIL PROTECTED]>, 0x...." > The date is already stored in the ar archive so thats wasted too. Almost everything is "already stored in the ar archive". But not in a secure way. The question is just: Which information is needed to be secured. And I for myself want the day something was transfered to the pool to be signed. > Each signing instance should have an unique key. They key ID then > identifies who signed it and the reason (being allways the same) could > be documented in some Readme. The reason is not always necessarily the same, e.g. if someone sponsors someone else. However, this could be solved with your proposal. > I agree with you that every instance along the way to the archive > should sign the package: fine. > debsigs allows for 10 chars for the name of the signature. > 8 chars would be key ID. > 1-2 chars could be used to denote the reason of the signature: > > DM - DD maintainer > NM - non DD maintainer > DN - non maintainer upload by a DD > NN - non maintainer non dd upload > SP - sponsor > BD - buildd > BA - buildd admin > DI - deinstall Good idea. Cheers, Andi -- http://home.arcor.de/andreas-barth/ PGP 1024/89FB5CE5 DC F1 85 6D A6 45 9C 0F 3B BE F1 D0 C5 D1 D9 0C
