[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: md5sums (was Re: System integrity...)

On Mon, Jun 14, 1999 at 11:01:40AM +0000, Rene Mayrhofer wrote:
> Am Mon, 14 Jun 1999 schrieb Chris:
> > On Sun, Jun 13, 1999 at 03:46:42AM +0200, Martin Bialasinski wrote:
> > <snip> 
> > > CL> What is the criteria that determines which packages get .md5sums
> > > CL> files stored in /var/lib/dpkg/info/ ??
> > > 
> > > The file is created during debian/rules binary by dh_md5sums or other
> > > means.
> > > 
> > 
> > Yes...but I wasn't sure if there was policy requirement for this or not(?).
> > Or is it just "a good thing"(TM)?
> What is the current situation about signing binary packages with
> Debian-developer PGP-keys ? I think all Debian packages should be signed in
> some form (PGP, GPG). Would it be enough to sign packages with the own
> (developer) key when this key is in the debian-keyrings package, signed by the
> official Debian key ? Are there any security holes in this procedure ?

Um...each package includes a .dsc file, which is signed by the maintainer,
and contains md5sums of the .deb, .tar.gz and .diff files.  This .dsc file
is used to authenticate the packages when they are uploaded (the signing key
must be in the developer keyring).  The .deb md5sum is then copied into the 
packages file for authentication by apt when it is downloaded by a user.


       As a computer, I find your faith in technology amusing.
Reply with subject 'request key' for PGP public key.  KeyID 0xA9E087D5

Reply to: