File: TODO

package info (click to toggle)
dpkg-sig 0.13.1+nmu4
  • links: PTS
  • area: main
  • in suites: buster, sid, stretch
  • size: 180 kB
  • ctags: 38
  • sloc: perl: 1,311; makefile: 51
file content (21 lines) | stat: -rw-r--r-- 1,022 bytes parent folder | download | duplicates (4)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
* Understand the way debsign works and verify its signatures.

* What happens with expired keys?

* Get about 1000 DDs to test the thing and report bugs.

* Create patches for katie, the buildds and dpkg to sign and verify
  signatures everytime a package is touched.

* We need a way to check if the signature is done by a DD ... errr ...
  Reworded: To check if the package is signed with a DD's gpg key (ATM
  we don't see the difference between someone who rebuilt the package
  with his h4x0r3d sk111z signing as "builder" and a DD who's supposed
  to do so). Perhaps something with debian-keyring, gpg
  --no-default-keyring --keyring, but that won't work with NMs. Do we
  need a wanna-be-dd-keyring? Perhaps one with all keys of people
  with a package in the archive. Oh, and for non-Debian sources we
  would need a --accept-people-not-associated-with-debian switch. 
  *sigh* 
  We have to discuss this at least with the debian keyring manager, 
  and perhaps some more DDs (#debian-devel? debian-devel@l.d.o?)