Signed packages?
Daniel Stone
daniel.stone at canonical.com
Mon Sep 20 06:25:28 UTC 2004
On Mon, Sep 20, 2004 at 01:12:46AM -0500, J.B. Nicholson-Owens wrote:
> First, Ubuntu looks like a fine system. I'm also glad to read that the
> focus will be on catering to making things usable by novices. It's quite a
> challenge, but it looks like Ubuntu is taking big steps in the right
> direction.
>
> I was curious about signed packages. Are crytographically signed DEBs
> possible?
>
> If so, does Ubuntu use signed packages? If not, is this something that is
> seen as a good idea for the future or unnecessary?
>
> Any rationale to help explain how they're unnecessary would be appreciated
> if time allows.
Right now, the .debs themselves aren't cryptographically signed, but we
do have strong crypto involved. Every upload to the archive is done as
source-only: for instance, when I upload xresprobe, I don't upload any
binaries, just the source (the autobuilders build everything). When I
upload the source, there's a .changes file, containing md5sums of
everything I uploaded. The .changes file has to be signed with my GnuPG
key.
When autobuilder uploads are done, they also contain .changes files,
which are signed in a similar way. So, while the .debs themselves
aren't signed (or the source files), we have a pretty damn good audit
trail. :)
Cheers,
d
--
Daniel Stone <daniel.stone at canonical.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20040919/799976d5/attachment.sig>
More information about the ubuntu-users
mailing list