The debian-private mailing list leak, part 1. Volunteers have complained about Blackmail. Lynchings. Character assassination. Defamation. Cyberbullying. Volunteers who gave many years of their lives are picked out at random for cruel social experiments. The former DPL's girlfriend Molly de Blanc is given volunteers to experiment on for her crazy talks. These volunteers never consented to be used like lab rats. We don't either. debian-private can no longer be a safe space for the cabal. Let these monsters have nowhere to hide. Volunteers are not disposable. We stand with the victims.
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Problem with reformatting package announcements

On Wed, 6 Mar 1996, Ian Jackson wrote:

> As I understand it the current proposal for package announcements is
> that the developer uploads the announcement in `dchanges' format in
> the .changes file with the package's other files, or mails it to some
> special address.  Some program on the master site or somewhere
> reformats it to a better[1] format before posting it to the actual
> list.
> 
> Unfortunately this idea doesn't work well if we want package
> maintainers to PGP sign their release announcements.  If we want that
> (which I think is a good idea) then the package maintainer will have
> to sign the final form of the announcement, which basically means that
> they'll have to ship it in the form the user sees it.
> 
> Ian.
> 
> [1] More human-readable, and (for example) suitable for `md5sum -cv',
> &c.

Bruce should probably speak to this, but I'll give my understanding of
the intention.

1.  The pgp-signed changes file is uploaded with the packages (or,
    possibly, emailed separately to a distribution maintenance address
    after package file upload).

2.  The signature is mechanically verified against the key of the
    maintainer registered for the source (or, as appropriate, the
    appropriate arch) for the package.

3.  Verification failures are kicked out and probably looked at
    manually before being either processed or rejected.  Handling
    is decided by the distribution maintainer.

4.  Verification successes are further processed, probably mechanically.
    This processing includes generating a public announcement of package
    availability once it becomes available in the distribution.  The
    public announcement contains information gleaned from the changes
    file, but probably reformatted for better readability by a human.
    In particular, the contents fo the Files field is probably massaged
    for better cosmetics and/or better "md5sum -c" compatability in the
    public announcement.  The Files section lines in the changes file
    are intended for consumption by automated processing scripts on
    the upload site, not for public view.

I don't know about pgp signing of the public announcements.  If that's
deemed appropriate, I presume that they'd be signed by the debian
distribution maintainer, since he's sufficiently satisfied by having
verified the changes file signature to stand behind its pedegree.
I also presume that they'd be signed by a psuedo-person (e.g.,
"Debian Distribution Maintainer <debian_dist_maintainer@debian.org>"
instead of being signed with the true identity of whoever the
current distribution maintainer happens to be (this, of course,
to prevent the need for lots of housekeeping when the distribution
maintainer seat changes occupants.