Debian Bug report logs - #10452
dpkg: need ability to embed signatures in .deb files

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: jdassen@wi.leidenuniv.nl (J.H.M.Dassen)

To: submit@bugs.debian.org

Subject: Fwd: Re: [NO FLAMES!] Re: rpm vs. dpkg (was: Re: Future of Linux (a flame about RPM/GLINT)???)

Date: Mon, 9 Jun 1997 10:08:24 +0200

Package: dpkg
Version: -

This is not a bug; it is a feature request. 

Like RPM, Debian's distribution system uses PGP signatures heavily.  Unlike
RPM, PGP signatures are not currently built into the package format, which
would be quite useful (see Ted's article included below).
Is it possible to build in PGP signatures? (preferably as a separate file in
the ar archive, for backwards compatibility)

Greetings,
Ray

Path: news.wi.leidenuniv.nl!highway.leidenuniv.nl!surfnet.nl!howland.erols.net!b
 loom-beacon.mit.edu!senator-bedfellow.mit.edu!senator-bedfellow.mit.edu!not-for
 -mail
From: "Theodore Y. Ts'o" <tytso@MIT.EDU>
Newsgroups: comp.os.linux.development.system
Subject: Re: [NO FLAMES!] Re: rpm vs. dpkg (was: Re: Future of Linux (a flame about RPM/GLINT)???)
Date: 7 Jun 1997 15:44:53 -0400
Organization: The Internet
Lines: 61
Sender: news@athena.mit.edu
Distribution: world
Message-ID: <5ncdnl$a2a@senator-bedfellow.MIT.EDU>
Reply-To: tytso@MIT.EDU
NNTP-Posting-Host: senator-bedfellow.mit.edu
Xref: news.wi.leidenuniv.nl comp.os.linux.development.system:49989

   From: wilcoxb@ucsu.Colorado.EDU (Zooko)
   Date: 7 Jun 1997 13:32:06 GMT

   * I went in to some details about _why_, I think, Debian is 
   able to support more packages with (probably) equal 
   effectiveness.  (Namely that there are many more Debian 
   maintainers, and Debian maintainers are more likely to have 
   an.. um..  "personal" relationship with the software they 
   support.)

   * I said that this observation kind of disturbs me, since I'm 
   very much in favor of people getting paid for this kind of 
   work.

I'll make the following observations:

1) It's an open question whether "hundreds" of part-time volunteers are
better than 6-8 highly focused, full-time developers.  People who aren't
familiar with Brooks Law should run, not walk, to the cloest bookstore
and get a copy of "The Mythical Man-Mouth":

	Brooks's Law

	/prov./ "Adding manpower to a late software project makes it
        later" -- a result of the fact that the expected advantage from
	splitting work among N programmers is O(N) (that is,
	proportional to N), but the complexity and communications cost
	associated with coordinating and then merging their work is
	O(N^2) (that is, proportional to the square of N). The quote is
	from Fred Brooks, a manager of IBM's OS/360 project and author
	of "The Mythical Man-Month" (Addison-Wesley, 1975, ISBN
	0-201-00650-2), an excellent early book on software
	engineering. The myth in question has been most tersely
	expressed as "Programmer time is fungible" and Brooks
	established conclusively that it is not. Hackers have never
	forgotten his advice; too often, management still does. See also
	creationism, second-system effect, optimism.

(I'll note that some of the reports that I've gotten about internal
Debian politics amongst the Debian developers would tend to bear Brooks
law out.)

2)  Some packages, such as my e2fsprogs package, are distributed
natively as an RPM package.  I chose this because it's the most
convenient way for me to build and distribute source and binary
packages.  One feature which I very much like is the easy ability to
embed PGP signatures to digitally sign both my source and binary
packages, which can be easily verified by people who wish to make sure
the package really was from me.  Since it's built into the binary
package format, you don't need to worry about a clumsy secondary .pgp
file; it's out of the way for people who don't know about it, and
convenient to verify for those people who like to be paranoid about
where their software comes from (especially software which is run as
root!  :-)

3) As far as people (like myself) not getting paid for this kind of
work, you get payback in all sorts of indirect ways --- from invitations
to speak at conferences all over the world, to the joy that knowing that
the work that you do is useful to a large number of people.

						- Ted

Message #16 received at 37017-close@bugs.debian.org (full text, mbox, reply):

From: Wichert Akkerman <wakkerma@debian.org>

To: 37017-close@bugs.debian.org

Subject: Bug#37017: fixed in dpkg 1.9.0

Date: Fri, 27 Apr 2001 08:53:37 -0400

We believe that the bug you reported is fixed in the latest version of
dpkg, which has been installed in the Debian FTP archive:

dpkg-doc_1.9.0_all.deb
  to pool/main/d/dpkg/dpkg-doc_1.9.0_all.deb
dpkg-1.9.0.tar.gz byhand
dpkg_1.9.0.dsc
  to pool/main/d/dpkg/dpkg_1.9.0.dsc
dpkg-dev_1.9.0_all.deb
  to pool/main/d/dpkg/dpkg-dev_1.9.0_all.deb
dpkg-1.9.0_i386.nondebbin.tar.gz byhand
dpkg_1.9.0_i386.deb
  to pool/main/d/dpkg/dpkg_1.9.0_i386.deb
dpkg_1.9.0.tar.gz
  to pool/main/d/dpkg/dpkg_1.9.0.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 37017@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Wichert Akkerman <wakkerma@debian.org> (supplier of updated dpkg package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 26 Apr 2001 12:39:16 +0200
Source: dpkg
Binary: dpkg-dev dpkg-doc dpkg
Architecture: source all i386
Version: 1.9.0
Distribution: unstable
Urgency: low
Maintainer: Wichert Akkerman <wakkerma@debian.org>
Changed-By: Wichert Akkerman <wakkerma@debian.org>
Description: 
 dpkg       - Package maintenance system for Debian
 dpkg-dev   - Package building tools for Debian
 dpkg-doc   - Dpkg Internals Documentation
Closes: 4784 4974 13961 15644 25317 25496 31620 37017 45511 60717 60717 65284 67528 67896 68783 72406 74372 74814 75139 75562 75796 80142 80529 80532 81358 81630 82419 82708 82723 83042 83083 83468 83752 83812 84328 84361 84449 84582 84625 84905 85035 85040 85080 85847 85977 86453 86658 86847 87238 87485 87505 87571 87572 87579 87581 87985 88015 88225 88987 89000 89409 90328 90516 90722 90982 92908 93559 93873 94474 95023 95088
Changes: 
 dpkg (1.9.0) unstable; urgency=low
 .
   * Things should mostly work OpenBSD 2.8 as well now
   * Added a --status-pipe option.
   * Fixed several memleaks.
   * Profiled dpkg.
     * Reworked lib/parse.c:parsedb().  Instead of using getc(), then
       calling varbufaddc(), it now reads the entire file at once into a
       huge buffer, then moves pointers around, to do the parsing.  This
       gave a speedup of 33% on a dual celeron 333, when reading status and
       available.
     * various other speedups.
   * Removed all --smallmem code, as smallmem and largemem now actually
     use about the same amount of memory, and largemem is faster.  Both
     --largemem and --smallmem are now obselete options, and will print
     a warning if used. Closes: Bug#84905, #67528
   * Initialize unitialized variables.  This should solve several
     segfaults. Closes: Bug#25317(plus 9 others, thru the beauty of
     merges)
   * Found that when working with dependency cycles, and part of the cycle
     was a provide, the provider was not being considered, so the cycle
     could not be broken. Closes: Bug#87985(and 3 others)
   * Update German translation, Closes: Bug#80529,#80532,#87581
   * Update French translation, Closes: Bug#65284,#85035,#87238
   * Update Japanese translation, Closes: Bug#93873
   * Updated all other translations (but no bugs filed)
   * Add Danish translation
   * Remove spurious '%s' in Polish translation, Closes: Bug#74814
   * Add French manpages, courtesy of Philippe Batailler
   * Ingore vim swapfiles in dpkg-source, Closes: Bug#81630
   * remove --import option from dpkg-statoverride, Closes: Bug#81358
   * Replace nfmalloc implementation with obstack. Added obstack.[ch] to
     optlib, for non-GNU systems.
   * dpkg-divert only allows absolute filenames now. Closes: Bug#82419
   * Handle diffs from non-existing files to existing files. Closes: Bug#82708,
     #90982.
   * Small fixes to the buildsystem. Closes: Bug#84361
   * Fix dpkg-statoverride --update for things other then plain files.
     Closes: Bug#84449
   * Fix race with source directory disappearing in dpkg-source.
     Closes: Bug#45511
   * Fix manpage for dpkg-gencontrol. Closes: Bug#84625
   * Add -n option for dpkg-gencontrol to specify a filename. Closes: Bug#75796
   * Use POSIX glob instead of regexp in debian/rules. Closes: Bug#83042,
     #84582
   * fix typo in usage message for dpkg-divert, Closes: Bug#85977
   * Use full path for argv[0] when calling scripts. Closes: Bug#68783
   * Add ia64 support to dpkg-architecture.
   * Minor script changes, Closes: Bug#87485
   * Stop dpkg-genchanges from complaining about missing packages
     when doing a source-only build. Closes: Bug#87571,#15644,#25496
   * Various dpkg-architecture cleanups. Closes: Bug#87505
   * Modify dpkg-architecture to handle gcc versions containing letters.
     Closes: Bug#83083
   * dpkg-buildpackage updates: Closes: Bug#87572,#85847
     + make -C work properly
     + fix test for gpg secret keyring
     + improve source messages
     + skip signing pause when building unsigned packages
     + test for invalid signinterface. Closes: Bug#87579
     + remove debsign support, it's useless and doesn't work
     + Use correct architecture when naming .changes file. Closes: Bug#88015
   * Fix wording in dpkg-statoverride manpage for --add. Closes: Bug#85080
   * Fix typo in start-stop-daemon manpage. Closes: Bug#88225
   * Add dpkg-checkbuilddeps to check if build dependencies are satisfied
     and modify dpkg-buildpackage to call it if wanted.
     Closes: Bug#86453,#83812,#60717,#74372,#67896,#60717,#13961
   * dpkg-parsechangelog can read a changelog from stdin now. Closes: Bug#80142
   * Fix confusing wording for dpkg-buildpackage -uc option in manpage.
     Closes: Bug#83468
   * dpkg-statoverride now exits with exitcode 1 if we do a --list but don't
     output anything. Closes: Bug#84328
   * Remove Linux reference from all scripts, they should run fine on
     other OSes as well.
   * Mark last argument in dpkg-scanpackages usage info as optional.
     Closes: Bug#86658
   * Fix cache in dpkg-scanpackages version comparison. Closes: Bug#90722
   * Fix formatting error in dpkg-source.1. Closes: Bug#82723
   * Change dpkg-gencontrol to fix comma-related syntax errors after
     processing substvars. Closes: Bug#92908
   * Verify package signatures if debsig-verify is installed. Closes: Bug#37017
   * Handle window resize in dselect main menu. Closes: Bug#93559
   * Initialize all parts of the package record.  This should fix several
     segfaults people have been seeing in dpkg.  Closes: Bug#90328.
   * Apply patch from bug#86847, that escapes intl chars in filenames.
     Closes: Bug#83752, #85040, #86847, #89000.
   * Errors during dpkg -s(and other similiar commands) are now printed
     on stderr.  Closes: Bug#88987.
   * Add a --retry option to start-stop-daemon. Closes: Bug#75139
   * Fix regeps to extract Closes magic from a changelog so the #
     is really optional. Closes: Bug#94474
   * Remove useless statement from dpkg-shlibdeps. Closes: Bug#90516
   * Make the debian changelog parser identify itself with $progname.
     Closes: Bug#89409
   * Give a syntax error when we get an unexpected PGP signature in control
     files. Closes: Bug#75562
   * Change dpkg manpage to reflect that --force-statoveride is no enabled
     by default. Closes: Bug#95023
   * Handle dangling symlinks, by ignoring error code 1 from find, when
     processing --recursive. Closes: Bug#4784
   * dpkg -L, -S, -l, -s, and -p now return an error code if any package
     does not exist. Closes: Bug#4974, #72406
   * dselect has a configuration file as well now
   * Get ENOENT value at runtime in dpkg-divert instead of hardcoding it.
     Closes: Bug# 31620
   * Fix wrong ENOENT test in dpkg-divert. Closes: Bug#95088
   * Add support for more SuperH variants (sh[34]{,eb}-linux-gnu)
   * Fix formating and a typo in the dpkg manpage
   * Document the dpkg.cfg configuration file in dpkg(8)
Files: 
 2c6e367d8f9b51cf417ccfb35b858190 618 base required dpkg_1.9.0.dsc
 5c2b99e664b04c744eb93f079b51aef5 1288818 base required dpkg_1.9.0.tar.gz
 91767f85b979ebc86769149d8bb323cc 1018776 base required dpkg_1.9.0_i386.deb
 ea12da65ab5292cdb2b5d95d6b684dcc 1008856 byhand - dpkg-1.9.0_i386.nondebbin.tar.gz
 7f3f84fc919a122d7c492a1712f0b081 99710 devel important dpkg-dev_1.9.0_all.deb
 60bda539ece505c4eb2f7784be118571 10648 doc extra dpkg-doc_1.9.0_all.deb
 5c2b99e664b04c744eb93f079b51aef5 1288818 byhand - dpkg-1.9.0.tar.gz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAjrobwYACgkQPLiSUC+jvC3kEgCfX2M/zG64KdWbAfJ2QMjdWi3y
wq8An246QZUfICOMkw3TcI1zsNgSqnig
=OR1+
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.