Re: Secure apt-get

To: Itai Zukerman <zukerman@math-hat.com>
Cc: debian-devel@lists.debian.org
Subject: Re: Secure apt-get
From: John Goerzen <jgoerzen@progenylinux.com>
Date: 23 Jan 2001 20:57:31 -0500
Message-id: <[🔎] 87bssxaf04.fsf@complete.org>
In-reply-to: <[🔎] 87bssyqoma.fsf@matt.w80.math-hat.com>
References: <[🔎] 01011819481401.00676@neo> <[🔎] 87zognfmfh.fsf@complete.org> <[🔎] 87bssyqoma.fsf@matt.w80.math-hat.com>

Itai Zukerman <zukerman@math-hat.com> writes:

> > gopher://gopher.quux.org:70/9/devel/debian/debsigs.ps   (PostScript)
> > gopher://gopher.quux.org:70/0/devel/debian/debsigs.txt  (Plain Text)
> 
> Hi,
> 
> I finally got around to reading this, and I have one concern: It seems
> with this scheme you need to extract the components in order to decide
> if two .debs are the same, since adding signatures changes their
> lengths/md5sums.  For example, Corel puts out a foo_1_i386.deb, how do

That is correct.

> I find out if it's the same as one in Debian proper?  Will we be
> seeing a debcmp utility?

I could trivially add a feature to debsigs to spit out md5sums of each
individual component, which you could then use for comparisons.  Or do
comparisons of the type you want itself.

-- John

-- 
John Goerzen <jgoerzen@complete.org>                       www.complete.org
Sr. Software Developer, Progeny Linux Systems, Inc.    www.progenylinux.com
#include <std_disclaimer.h>                     <jgoerzen@progenylinux.com>

Reply to:

References:
- Secure apt-get
  - From: Klaus Reimer <kay@debian.org>
- Re: Secure apt-get
  - From: John Goerzen <jgoerzen@progenylinux.com>
- Re: Secure apt-get
  - From: Itai Zukerman <zukerman@math-hat.com>

Prev by Date: Kernel 2.4.0 Panic?
Next by Date: Re: Install and RAID
Previous by thread: Re: Secure apt-get
Next by thread: Bug#82725: ITP: pkgset-tools, pkgset-tools-gnome
Index(es):
- Date
- Thread