RFC: Signed packages and translations

[Simon Richter <sjr@debian.org>]

Hi,

after a long night, I have a first draft of my proposal that defines
signed packages and translations added to existing binary packages.

<getting asbestos suit>

   Simon

-- 
GPG public key available from http://phobos.fs.tum.de/pgp/Simon.Richter.asc
 Fingerprint: DC26 EB8D 1F35 4F44 2934  7583 DBB6 F98D 9198 3292
Hi! I'm a .signature virus! Copy me into your ~/.signature to help me spread!

		     Signed .deb archives and translations
		    ---------------------------------------

Step 1: Signed archives
-----------------------

The basic idea is to accompany each member in a .deb file with another file
that contains an OpenPGP signature for this file. This signature file need
not be ascii armored since this would only introduce transmission overhead
and gain nothing. The file name for this file is constructed from the
original filename as follows:

If the original filename is no more than sizeof(ar_name)-2 bytes long, ".s"
is appended to it. If it is longer, the part of the file name before the
first dot or dash is truncated so that the ".s" suffix will fit. If the
first component would disappear, the component after the first dot will be
used and so on.

During the transition period (two releases), dpkg-deb should generate file
names by prepending "_s" rather than appending ".s" when building packages
and accept both names when extracting or verifying. This allows signed
packages to be processed with older versions of dpkg which would exit with
an error if they encountered an unknown archive member (files whose names
start with an underscore are silently ignored).

Examples:

Name                Transition name     Final name
control.tar.gz      _scontrol.tar.gz    control.tar.gz.s
contro-de.tar.gz    _scont-de.tar.gz    cont-de.tar.gz.s
con-de_AT.tar.gz    _sc-de_AT.tar.gz    c-de_AT-tar.gz.s

Benefits: 

 - An end user can verify who built the .deb file.
 - Since individual members of the archive are signed, it is possible to
   add or remove parts of Debian archives later without invalidating the
   entire file. This makes sense when it comes to translated
   Debian-specific information, like the package "Description" or debconf
   templates.

Drawbacks:

 - Once you have a larger number of members in an archive, verifying the
   signatures on each of them can be very time-consuming. Thus it is
   recommended to have a "trusted" path from which packages can be
   installed without checking (see "Transition" below).

Implementation:

 - Modify dpkg-deb to verify the signatures of archive members on extract,
   unless told otherwise. dpkg-deb should not fail if the signature members
   are missing since the packages currently on the Debian FTP servers would
   no longer install.
 - Add commands to dpkg-deb to verify package members' signatures, remove
   all unsigned members from an archive (this is helpful in conjunction
   with the "trusted" path) and sign members.
 - Default behaviour for dpkg-deb's build command should be not to sign
   all package members in order to not break existing package build scripts
   or autobuilders.
 - Modify the autobuilders and existing developer scripts ("debsign") so
   that they call dpkg-deb to sign the packages additionally to signing the
   .changes file.
 - (optional) Modify apt to download packages to an "untrusted" directory,
   check a package's signatures and then move the package to the regular
   apt cache directory. Signature verification can take place while other
   packages are still being downloaded in order to minimize the performance
   hit introduced by signed packages.

Transition:

 - (after two releases) Modify dpkg-deb so that it creates the names for
   signature files by appending ".s" rather than prepending "_s" -- All
   older dpkg versions which throw an error should have been phased out by
   then.
 - (after four releases, optional) Drop support for the transitional member
   names in dpkg-deb.

Step 2: Allow addition/removal of members in .deb archives
----------------------------------------------------------

In order for automatic insertion of translated texts into ready .deb
archives to work, dpkg-deb needs to support adding and removing of members,
together with their signatures.

Implementation:

 - Add commands to dpkg-deb to add, remove and extract individual member
   files. It may be a good idea to have dpkg-deb arrange the signatures
   behind the files they were created for in order to speed up processing.

Step 3: Translations
----------------------------------------------------------

Translations are added inside special member archives which have their name
derived from control.tar.gz by a) prepending "_t" during the transitional
period and b) appending their locale name to the first component
("control"), separated by a dash. If the resulting name exceeds
sizeof(ar_name) bytes, the first component is shortened accordingly (but
never the locale name):

Locale              Transition name     Final name
de                  _tcont-de.tar.gz    contro-de.tar.gz
de_AT               _tc-de_AT.tar.gz    con-de_AT.tar.gz

Note: Since the member names start to get rather meaningless that way, it
might be a good idea to replace the .tar.gz by .tgz (See the transition
notes).

The translation archive can contain a "control" and a "templates" file.
These files have much the same format as the corresponding files from the
control.tar.gz file but with the exception that they contain only the
identifiers ("Package: xyz" for "control" and "Template: foo/bar" for
"templates") and the translated "Description-ll_CC:" field. These files are
merged by dpkg-deb when extracting the package.

Advantages:

 - You can specify translations for the package description and templates
   inside a .deb archive.
 - It is possible to add, modify and remove these translations without
   maintainer intervention

Disadvantages:

 - Due to the small size of these files, they will compress badly.

Implementation:

 - Modify dpkg-deb to extract the additional files to temporary locations
   and merge them into the main "control" and "templates" files afterwards.
 - Modify dpkg-deb to split the "control" and "templates" files when
   building packages. This allows a maintainer to provide translations in
   the package for him/herself.
 - Add the necessary hooks into katie so that .deb files can be processed
   before copying them into the FTP tree and can be reprocessed later (if
   the translation database changes).
 - Write a script that generates the localized control archives and adds
   them into the .deb file (not replacing existing control archives, so a
   maintainer can override translations from the database).

Transition:

 - (after two releases) Make the "final" file names the default in
   dpkg-deb.
 - (after four releases, optional) Drop support for the transitional file
   names.