Simon Richter <[EMAIL PROTECTED]> writes: >>>IF this means we can switch the effort to a detached signature that is more >>>powerful than a .changes file (or we are allowed to have multiple signatures >>> in a .changes file), > > That is already possible with gnupg, just not well-documented; I'm not > entirely sure what interesting breakage would occur if one were to > upload a changes file with multiple signatures.
It gives a parse error and the DAK rejects the file. >>>where dpkg would simply refuse >>>per user-set policy any non-signed deb or any deb without a specific >>>signature... > >> I'm sorry, but you're back to the snakeoil use for deb sigs. Expecting >> a signature by a random Debian developer to mean something is not >> reasonable. A signature in the deb by a random developer is as trustworthy as the changes file and you already trust that. So we are going from snakeoil to snakoil. No harm done. > That's why there can be multiple signatures. There would be one from > the maintainer/buildd, a few from the Debian archive (for example, you > could add one sig for "officially in Debian unstable", one for > "migrated to testing" and one for "in a stable release") and if the > idea of adding description/template translations later on catches on, > also some from the translators/translation system. Although that would alter the packages md5sum and even alter a package while still being in a distribution (the unstable deb would suddenly gain a signature). It would be a big change to allow this. > Simon -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
