* Roger Leigh (rle...@codelibre.net) [110501 19:04]:
> WRT the signing key, there would need to be some form of trust path
> or else the signature would be worthless. If packages are being
> uploaded to Debian infrastructure, and are under our control, can't
> we use a single signing key? We presumably verified the integrity
> and origin of the package on initital upload, so we should be able to
> use a generic signing key surely? If this is provided in a package
> then we can trigger automated installation of it.
I'd prefer the form that we currently do for e.g. backports: We import
the key on chroot creation, see APT_KEYS in 99builddsourceslist.
Advantage: we don't need to touch chroots if keys changes.
> The main thing sbuild needs would be the information to add to
> sources.list, signing key packages etc. This would probably require
> passing from buildd, so probably more a question of how buildd will
> be configured and get the information to pass to sbuild.
buildds already receive a yaml-file from wanna-build, so part of the
question is easy answered.
For testing purposes, one could make an easy wanna-build with
something like:
#! /bin/bash
if echo $* | grep needs-build -q; then
echo "devel/package_version [optional:out-of-date]"
exit 0;
fi
cat <<EOF
- package:
- status: ok
- pkg-ver: package_version
- key1: value1 (etc)
EOF
(should be enough for handing out packages to buildd, replacing all
package by the package name, and version by the package version)
Andi
--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20110501171736.gm15...@mails.so.argh.org
