[arch-dev-public] [PATCH 0/2] dbscripts patches for package signatures
Dan McGee
dpmcgee at gmail.com
Wed Mar 16 21:48:23 EDT 2011
On Wed, Mar 16, 2011 at 8:31 PM, Allan McRae <allan at archlinux.org> wrote:
> On 17/03/11 11:14, Dan McGee wrote:
>>
>> On Sat, Mar 12, 2011 at 9:57 PM, Allan McRae<allan at archlinux.org> wrote:
>>>
>>> On 13/03/11 13:24, Allan McRae wrote:
>>>>
>>>> I'd like comments on where the signature should be generated. I was
>>>> thinking at the end of makechrootpkg, but before upload could also
>>>> work.
>>
>>>> Note that the future makepkg implementation for automatic signing
>>>> is probably not appropriate for use as that would require gpg and a
>>>> keyring in the chroot.
>>
>> Is this a bad thing? Does it drag in a lot of deps?
>
> Not a lot of deps given pacman will pull them in eventually for gpg support.
> It is more having to set-up your keyring in every chroot that I was
> concerned about.
I feel like this is something that can be done in makechrootpkg
without too much hassle, no? Just a cp into the chroot.
>>> More thinking about this... the package signing probably can not be too
>>> linked to building (i.e. not in makechrootpkg) as that might be on an
>>> external build server (which should not have private keys on it). So I
>>> guess that it should be done at the time of upload.
>>
>> "probably can not be too linked" - someone is hedging their words. :)
>>
>> I agree that it shouldn't have to be linked, but making it easy to
>> generate as part of the build process is something that we shouldn't
>> forget. However, in the case of building it elsewhere, is it that bad,
>> iff they are using a key protected by a passphrase?
>
> I am hedging ever so slightly... I would not be putting my gpg key on a
> server where other people have access, even with a strong passphrase.
OK. Let's operate on this assumption then and find a solution that works for it.
>> When someone builds remotely, and you say "done at time of upload", do
>> you really copy it back locally before uploading it? Or how is pushing
>> off the time of signing going to help here?
>
> Well, copying the package locally needs to be done to test the package
> anyway...
Oh yeah....testing. Who does that? For something like xxx-data, I feel
like this has the possibility of getting unweildy, although I see now
good way around this.
> Anyway, at this stage, I think we just need to get something that "works"
> happening. The entire process can be adjusted or added to later as real
> world usage dictates.
Agreed.
We might want to take a look at this:
http://packages.debian.org/lenny/devscripts
Notably: cowpoke, debsign and see how they do things.
-Dan
More information about the arch-dev-public
mailing list