ktdreyer
commented
8 years ago TODO: check out https://github.com/mkouhei/pydebsign . It is a Python re-implementation of debsign, and it might suit our goals.
Open ktdreyer opened 8 years ago
ktdreyer
commented
8 years ago TODO: check out https://github.com/mkouhei/pydebsign . It is a Python re-implementation of debsign, and it might suit our goals.
ktdreyer
commented
8 years ago Any .changes files that reference .dsc files need to be rewritten as well. They typically contain checksums of the .dsc files.
It is typical for Debian/Ubuntu to sign all
.dscfiles. This ticket explores the possibility of having merfi handle this.An example of an inline-signed
.dscfile (the curl package for trusty): http://us.archive.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.19.7-1ubuntu1.dscThe problem is that this affects the reprepro metadata, because the .dsc file's overall checksum changes after it gets signed.
An example of a metadata file that contains a checksum of a
.dscfile is http://us.archive.ubuntu.com/ubuntu/dists/trusty/main/source/Sources.bz2The workflow would have to look something like this:
.dscfile (conventionally Debian developers usedebsignfor this, but technically it could be done withgpgorrpm-sign).dscfile usingrepreproReleasefiles (as merfi already does).Alternatively, if we wanted to do the signing without interleaving
reprepro, another workflow might be:.dscfile to the repo, usingreprepro.dscfile.dscfile within theSourcesfile(s)Sourceswithin theReleasefileReleasefile (as merfi already does).This is more complex, more tightly coupled with the behavior of reprepro, and more prone to possible errors. On the other hand, the advantage is that
repreprocan be run only once at the beginning, before anything has to be signed.Maybe it would be easier to package and build reprepro for Red Hat rel-eng's platform (ie RHEL 6) than it would be to implement this "fiddle with the checksums" workflow in merfi.