[arch-dev-public] [PATCH 0/2] dbscripts patches for package signatures
dpmcgee at gmail.com
Wed Mar 16 21:14:47 EDT 2011
On Sat, Mar 12, 2011 at 9:57 PM, Allan McRae <allan at archlinux.org> wrote:
> On 13/03/11 13:24, Allan McRae wrote:
>> I'd like comments on where the signature should be generated. I was
>> thinking at the end of makechrootpkg, but before upload could also
>> Note that the future makepkg implementation for automatic signing
>> is probably not appropriate for use as that would require gpg and a
>> keyring in the chroot.
Is this a bad thing? Does it drag in a lot of deps?
> More thinking about this... the package signing probably can not be too
> linked to building (i.e. not in makechrootpkg) as that might be on an
> external build server (which should not have private keys on it). So I
> guess that it should be done at the time of upload.
"probably can not be too linked" - someone is hedging their words. :)
I agree that it shouldn't have to be linked, but making it easy to
generate as part of the build process is something that we shouldn't
forget. However, in the case of building it elsewhere, is it that bad,
iff they are using a key protected by a passphrase?
When someone builds remotely, and you say "done at time of upload", do
you really copy it back locally before uploading it? Or how is pushing
off the time of signing going to help here?
More information about the arch-dev-public