On 2019-04-13 13:07, Philipp Kern wrote: > On 4/13/2019 12:49 PM, Aurelien Jarno wrote: > > The process to inject all packages to debian-ports is to get all the > > deb, udeb and buildinfo files from the archives (main and debug) and > > associate them with the .changes files that are hosted on coccia. We'll > > also need to fetch all the associated GPG keys used to sign the changes > > files. Then we can inject that in the debian-ports archive. > I'm curious how the GPG bit works given that there is no guarantee that > the signature can be validated at any other point in time than ingestion > on ftp-master - especially considering the rotation/expiry of subkeys > and buildd keys.
All the old buildd keys can be fetch from fasolo and can be used to validate the signatures. > In this case the files already come from a trusted > source and should be ingested as-is, I guess? (Not that I particularly > like the fact that it's only a point in time validation.) Yes in that case, it's possible to resign the changes files, or let the buildds to rebuild the corresponding packages. -- Aurelien Jarno GPG: 4096R/1DDD8C9B aurel...@aurel32.net http://www.aurel32.net
