webadmin-devel

Re: 1.030 RPM still unsigned?

[Jamie C. <jca...@we...>]

Wil Cooley <wc...@na...> wrote ..
> 
> Yes, the RPM is still unsigned :(  Jamie, do you need help with the GPG
> part?

No, I've figured out how to work GPG. I'm just looking for a solution for
signing the .tar.gz packages of webmin and individual modules as well
before putting out signed versions. Any idea how people usually handle
the signing of .tar.gz files? With RPMs, the file format can handle the
signature actually being part of the file, but that isn't the case with
tarballs ..

 - Jamie

Re: 1.030 RPM still unsigned?

[Wil C. <wc...@na...>]

On Mon, 2002-11-04 at 01:29, Jamie Cameron wrote:
> Wil Cooley <wc...@na...> wrote ..
> >=20
> > Yes, the RPM is still unsigned :(  Jamie, do you need help with the GPG
> > part?
>=20
> No, I've figured out how to work GPG. I'm just looking for a solution for
> signing the .tar.gz packages of webmin and individual modules as well
> before putting out signed versions. Any idea how people usually handle
> the signing of .tar.gz files? With RPMs, the file format can handle the
> signature actually being part of the file, but that isn't the case with
> tarballs ..

A detatched signature is how people handle tar.gz.  In order to
effectively handle per-module updates, you might consider repackaging so
the modules go into separate or subpackages.  I know that'd be a fair
amount of work, which is why I've never suggested it before.

Wil
--=20
Wil Cooley                                 wc...@na...
Naked Ape Consulting                        http://nakedape.cc
* * * * Linux, UNIX, Networking and Security Solutions * * * *
QCSNet                                     http://www.qcsn.com
* * * * T1, Frame Relay, DSL, Dial-up, and Web Hosting * * * *

RE: 1.030 RPM still unsigned?

[David C. <co...@co...>]

My experience in the past is that tar.gz's aren't really signed at this
point, mostly just released with MD5 bitchecks.

Now since I only develop and release small programs I find the MD5
bitcheck works perfectly well for myself.

BTW Jamie, I'm on a system restoration contract right now, and someone
handed me a server from early 2001 and was told "make it work".  It had
webmin 0.84 on it... Let me just say you should be extremly proud of how
much Webmin has grown and prosper over this past year alone.

David

Wil Cooley <wc...@na...> wrote ..
> 
> Yes, the RPM is still unsigned :(  Jamie, do you need help with the
GPG
> part?

No, I've figured out how to work GPG. I'm just looking for a solution
for
signing the .tar.gz packages of webmin and individual modules as well
before putting out signed versions. Any idea how people usually handle
the signing of .tar.gz files? With RPMs, the file format can handle the
signature actually being part of the file, but that isn't the case with
tarballs ..

 - Jamie