On 2016-10-18 07:34 PM, Ansgar Burchardt wrote:
Ben Hutchings writes:
On Tue, 2016-10-18 at 22:55 +0200, Ansgar Burchardt wrote:
Is there any documentation how this is supposed to work?
Nothing comprehensive as yet. Where should it go?
It doesn't need to be comprehensive. I just would like to understand
what needs to happen.
What uses the signatures the archive is planned to write to dists/*?
Scripts for preparing the source packages that build signed binaries.
(Which will probably be included in those source packages, but don't
have to be.)
How does building signed binaries work? That sounds like the signature
gets merged into the binaries dak signed in some way?
It looks wrong to bypass embargoed for the signatures. We avoid showing
which packages will get security updates in the future.
That's a fair point. But they need to be findable by a maintainer who
doesn't have access to embargoed packages in general. How about using
a hash of the changelog?
Wouldn't the maintainer need access to the embargoed binaries as well as
the signatures to prepare the signed version?
As we briefly discussed on irc, we could solve all this by making dak to
publish the -signed packages automatically, is this a good solution?
Please, let me know your opinion so I can go ahead and implement a first
version of it.
Thanks
Helen Koike
