* Wouter Verhelst ([EMAIL PROTECTED]) [031203 23:10]: > Op wo 03-12-2003, om 10:09 schreef Andreas Barth: > > > > file back signed by the build admin. The debian archive scripts > > > > accepts packages signed by a buildd-key only if it is a binary package > > > > for this architecture, the key is valid (i.e. in the right year), and > > > > this package has been handed out to this autobuilder for building. > > > > > > Valid for the autobuilder the package has been handed to and that send > > > it in and if the changes file is correct. > > > > > > But what if the buildd failed and someone manually build the deb, > > > signes it and uploads? The debian archive scripts would need a way to > > > distinguish between autobuild packages and manually build binary-only > > > uploads. > > I don't see why that would be the case. Could you elaborate? > > > The archive script would of course continue to accept any deb by any > > DD under the same conditions as today. The question to the > > buildd-admins is: How often does this happen? > > Hardly ever, if at all. Most "manual" bin-NMU's are done by people that > are not buildd admins.
I don't understand what you mean. Perhaps it would be best if I try to rephrase my ideas: The archive scripts accept a package currently if the following conditions are met: * There is an signed changes file for the debs by a DD These would be harded to the following: * There is an signed changes file for the debs by a DD * The debs are signed - by an DD or - by an buildd, if this buildd was the one to build this package. So, the archive scripts don't distinguish between autobuild packages and manually build binary-only packages, but they look at the debs, and verify the signature. If the signature is by a DD, everything is ok. If the signature is by a buildd, they verify that the buildd had had an job to build this deb. Ok? Cheers, Andi -- http://home.arcor.de/andreas-barth/ PGP 1024/89FB5CE5 DC F1 85 6D A6 45 9C 0F 3B BE F1 D0 C5 D1 D9 0C
