Idea: PGP-sign */Packages ?

To: debian-devel@lists.debian.org
Subject: Idea: PGP-sign */Packages ?
From: rjs@lloke.dna.fi (Riku Saikkonen)
Date: Sat, 15 Mar 1997 01:01:48 +0200
Message-id: <[🔎] 199703142301.BAA00176@isil.lloke.dna.fi>

An idea for Debian developers follows:
(I'm not currently subscribed to debian-devel, so if you want me to see your
replies, cc to me...)

Could someone PGP-sign the Packages files in the Debian distribution? Since
they contain MD5 checksums of the .deb files, the PGP signature would
validate all of them at once...

Maybe dpkg should also check its available file for any package it installs,
check the MD5 checksum (if it has the checksum for the .deb file it's trying
to install), and warn if it doesn't match (maybe also if it doesn't have the
checksum). And, if PGP is installed on the system, check the PGP signature
of any Packages files put in its database (with dpkg --update-avail or dpkg
--merge-avail).

This should make things somewhat more secure for the paranoid; currently,
any mirror site (or anyone between a user and the FTP site he's downloading
from) can theoretically modify its files...

As for how they should be signed, probably even an automatic script using a
"Debian distribution key" and running on master (or whatever produces the
final Packages files) would be enough (i.e. there probably isn't that much
need for a human to validate the Packages file each time). This should be
pretty easy to implement, for example by running "pgp -saft" as a filter
that creates the final Packages file...

--
-=- Rjs -=- rjs@spider.compart.fi, rjs@lloke.dna.fi

Reply to:

Prev by Date: Re: Decision on leaving upstream tar files untouched?
Next by Date: Re: ThinkPad 365X
Previous by thread: Re: Decision on leaving upstream tar files untouched?
Next by thread: Re: ThinkPad 365X
Index(es):
- Date
- Thread