Archive signing
Martin Meredith
martin at sourceguru.net
Mon Aug 22 09:44:06 CDT 2005
Hey John, can you generate a key on the server with the following command
gpg --gen-key
make it sign only, and make it have the name "Backports Signing key" the
email address "ubuntu-backports at lists.ubuntu.com" and no comment, then
email me the Key *ID* only... I can then set the script up to sign
properly... I'll then forward a copy of the updated script to you and
instructions on how to get the users to accept the key.
It'd be good if you could also get the key signed into the strong set
... That'll make life more easier (contact whoever got your key into the
strong set - if you've got round to that already)
Regards,
Mez
John Dong wrote:
> On Sunday 21 August 2005 04:03 pm, you wrote:
> Currently, a couple update scripts run under root access, which gives the
> whole SVN tree more or less root ownership.
>
> However, the Backports archive is the same as any SVN checkout (i.e. the one
> that you have ;) ). In http://ubuntubackports.org/ubp/, update_list.bsd.sh
> runs hourly, and that's all the magic.
>
> From what I can see, archive signing can be implemented as patches to this
> script. If you want to start tweaking this script, feel free :). When you're
> ready to apply the changes to the server, give me another ring.
>
>>After reading this topic:
>>
>>http://www.ubuntuforums.org/showthread.php?t=33104
>>
>>I thought It might be time to bring this up again ...
>>
>>John ? if you're willing to give me access I'll be happy to make it a
>>signed repo
>>
>>Martin Meredith wrote:
>>
>>>Hey there,
>>>
>>>just coming back to the whole thing of ... signing archives... I
>>>eventually managed to get my own personal archive signed, and I still
>>>think hoary-backports on the old server should be signed (along with
>>>hoary-extras)
>>>
>>>I'm willing to help implement this, and below is the script I managed to
>>>use to get my archive working as a signed archive
>>>
>>>http://dev.kubuntu.org.uk/~mez/archive/gen.sh
>>>
>>>Ok, so it's not pretty, but, it works, and I havent worked out how to
>>>get apt-ftparchive working properly yet to auto-generate everything, if
>>>anyone wants to let me know, feel free.
>>>
>>>So what do you people think - should this be implemented?
>
>
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 256 bytes
Desc: OpenPGP digital signature
Url : http://lists.ubuntu.com/archives/ubuntu-backports/attachments/20050822/d8c72061/signature-0001.pgp
More information about the ubuntu-backports
mailing list