Andreas Barth <[EMAIL PROTECTED]> writes:
> * Goswin von Brederlow ([EMAIL PROTECTED]) [031204 15:10]:
> > Andreas Barth <[EMAIL PROTECTED]> writes:
>
> > > Ok?
>
> > Sounds ok but the upload rules can be tightened much much later. First
> > we have to get signing started, which means fixing apt-utils or
> > debsigs or preferably both. And of cause change policy to
> > allow/suggest it.
>
> I want to know before going on a trip where this trip is suggested to
> end. Of course, after knowing, we should really start with the first
> steps. And these are, as you say:
> - Fix apt-utils
Patch existing.
> - Sign md5sum-files instead of the concatenated binaries (to allow for
> reomte signing)
That would be a design change in debsigs and debsigs-verify. Small
one. Afaik its still being looked into splitting gpg itself for remote
signing. The md5sum-file signing would be much simpler though.
> - Change policy
>
> And don't forget: Start to sign as soon as the toolchain is ready for
> it.
I made a little mirror with signed debs. Without preconfiguring or
with the one line patch to apt-utils it works fine. I'm was working on
a debsigs patch for more conform debs, actually a dar (debian ar or
deb ar) binary that supports deb archive ar files as far as debsigs
needs it, when the new opteron arrived. New toys allways distract.
MfG
Goswin
