[ Added Peter on CC in case he's not reading the -dpkg list ]
Hi folks,
I'm working on a project where inline signatures on Debian-style
packages would be very useful, so I've started playing with debsigs
and debsig-verify. Both packages *appear* to be maintained, with
uploads during the Bullseye development cycle. But right now things
don't work with gpg2, as shipped in Buster onwards (#988368,
#988646). I'm also very surprised that debsigs doesn't have any
verification code (#988369) - I'd always expect tools like this to be
able to verify their own output!
AIUI there was a plan to integrate signing more closely with dpkg. Is
that likely to happen at some point, and if so will it be compatible
with what's already shipped? If so, I may be able to help with the
existing tools. Alternatively, I may need to develop a parallel
implementation for my project, and obviously I'd like to stay
compatible if that's possible.
Can you give me some advice here please?
--
Steve McIntyre, Cambridge, UK. st...@einval.com
< Aardvark> I dislike C++ to start with. C++11 just seems to be
handing rope-creating factories for users to hang multiple
instances of themselves.
