[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: web address in control file

On Tue, 3 Feb 1998, Christian Schwarz wrote:

> On Mon, 2 Feb 1998, James R. Van Zandt wrote:
> > 
> > Christian Schwarz <schwarz@monet.m.isar.de> writes:
> > >Other keywords that have been suggested before:
> > ...

Arto Astala reminded my of another keyword which I proposed some time ago
already (but forgot to mention in my last mail :-)

We should consider to have a new keyword called "Origin:" (or something
like that) which contains the name of the distributor of the package. For
all packages in the Debian distribution, this field would always contain
"Origin: SPI".  Any other person/company which produces .debs would list
their name in that field. 

I think this field is important for the users to know from which source a
package comes from. Perhaps we should also implement some functionality
into dpkg to check the origin field of the packages at installation time
and issue a warning if packages from different sources are `mixed'. E.g.,
we and the KDE team both produce .debs and since both sets of packages use
different file system standards they can't be intermixed. 

(Note, that this was a long discussion on debian-policy some weeks ago. We
agreed that we should not rename our packages to debian-* or to implement
special virtual packages for third parties to avoid such cases. However,
perhaps such a new control field could help in these situations where
packages coming from different parties use the same names.) 

Of course, that new control field would only make sense if the control
files are digitally signed (e.g., with PGP) to make sure all `Origin: SPI'
packages really come from SPI. 

Ideally, the .deb would contain a new entry in the `ar' archive (besides
control.tar.gz and data.tar.gz), perhaps called `signature', that contains
the PGP signature. Each installation would then have a /etc/deb-keyring
PGP public keyring which contains `trusted' signatures--from the users
point of view. 

By default, that file would contain the SPI signature(s) only (the user
already trusted us by installing our distribution :-), but easily be
extent to include signatures from other sources as well. At installation
time, dpkg will then check the PGP sigs on the packages against the keys
in this key ring and report missing or un-checkable signatures as
`warning', but abort if the signature is bad. 

This procedure would require some automated way of digitally signing
packages that have been uploaded to master with the "SPI" key--but I'm
sure we find a practical and secure solution for that. (Perhaps, we should
only sign the packages at release time?)




--                 Christian Schwarz
                    schwarz@monet.m.isar.de, schwarz@schwarz-online.com,
Don't know Perl?     schwarz@debian.org, schwarz@mathematik.tu-muenchen.de
Visit                  PGP-fp: 8F 61 EB 6D CF 23 CA D7  34 05 14 5C C8 DC 22 BA
http://www.perl.com     http://fatman.mathematik.tu-muenchen.de/~schwarz/

TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .

Reply to: