On Fri, Mar 19, 2010 at 09:14:13AM +0100, Frank Lin PIAT wrote: > On Thu, 2010-03-18 at 12:39 +0100, Harald Braumann wrote: > > On Thu, Mar 18, 2010 at 08:31:40AM +0100, Goswin von Brederlow wrote: > > > Russ Allbery <r...@debian.org> writes: > > > > Simon McVittie <s...@debian.org> writes: > > > > > > >> Most packages (in terms of proportion of the archive, in particular for > > > >> architectures other than i386 and amd64) are built by a buildd, so each > > > >> buildd would have to have a signing key that could sign the checksums > > > >> file during build. > > > > Self-contained packages, where the signature is included and installed > > along with the checksum file, would have a lot of > > advantages. You wouldn't need access to a lot of infrastructure just > > to verify a signature. It would be very simple. It could be used for > > packages, that are not part of Debian. For instance, I could produce a > > package and send it to a friend and he could later use my key for > > verification. > > Oh please no. Don't advocate sending individual .deb files, ever. This > practice should be strongly discouraged. One brilliant part of Debian > packaging *is* the APT infrastructure, some key features:
It's local software that's relevant for me and maybe 3 other people. I don't think Debian would accept it in the archive. And I'm not going to set up an APT infrastructure for this either, because it's simply not needed. > If people and ISV start publishing individual .deb, they (and we) will > have to face the same problem as Windows/Mac/whatever had to solve: each > application will need to embed a feature to "Check for update", etc. These are exceptions, it's not like suddenly everyone starts publishing their own debs. But why shouldn't an implementation also support this? harry -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100319102357.ga1...@nn.nn
