Re: RFC: Signed packages and translations
On Sat, 1 Sep 2001, Martijn van Oosterhout wrote:
> > The basic idea is to accompany each member in a .deb file with another file
> > that contains an OpenPGP signature for this file. This signature file need
> > not be ascii armored since this would only introduce transmission overhead
> > and gain nothing.
> You could also have multiple signatures if you wanted (sponser and sponsee)
> or maybe have katie/dinstall/automuilder/whatever also give a sig.
Yes, this especially makes sense when it comes to bootstrapping since you
don't need a complete Debian keyring on the base floppies if the packages
on the FTP server are signed by katie.
> > If the original filename is no more than sizeof(ar_name)-2 bytes long, ".s"
> > is appended to it. If it is longer, the part of the file name before the
> > first dot or dash is truncated so that the ".s" suffix will fit. If the
> > first component would disappear, the component after the first dot will be
> > used and so on.
> You spend an awful lot of this document dealing with this. According to the
> ar manpage, GNU ar can deal with any length filenames. Other ar can only
> deal with 15 or 16 character names. Note that "control.tar.gz.s" is 16
> characters and thus may not work anyway.
dpkg just uses the ar format (from ar.h), not ar directly. Making the
lenght depend on sizeof(ar_name) is the way to go since it is the way dpkg
has always done it.
> If we don't want that then I have another idea. Replace the whole .tar.gz
> extension with .sig.
Hrm, would be an option. Added to the list of questions I'm going to ask
in my first summary.
> Can you store multiple signitures in the same file?
Hrm, I haven't read the OpenPGP docs. I believe it is possible somehow.
> > - Once you have a larger number of members in an archive, verifying the
> > signatures on each of them can be very time-consuming. Thus it is
> > recommended to have a "trusted" path from which packages can be
> > installed without checking (see "Transition" below).
> Isn't security worth any price in processing power? MHz is getting cheaper
> anyway. And I would have thought that signiture checking would be I/O bound
> rather than CPU bound.
I think signature checking on such packages will take about two times
longer than actually installing the packages. Also I work on an m68k box
which is awfully slow already. :-)
You will only need to check packages from "untrusted" sources. If you buy
a Debian CD, apt should check that the Packages files on the CD are
signed, then believe the packages to be okay. The nice thing is that these
changes are independent from any dpkg changes, so signed packages will
work without it.
> > Translations are added inside special member archives which have their name
> > derived from control.tar.gz by a) prepending "_t" during the transitional
> > period and b) appending their locale name to the first component
> > ("control"), separated by a dash. If the resulting name exceeds
> > sizeof(ar_name) bytes, the first component is shortened accordingly (but
> > never the locale name):
> I'd be tempted to go with either "lang-de.tar.gz" or even just
> "de_AT.tar.gz" with optional underscoring.
I'd like to keep the control vs. data distinction. Like I wrote in a
previous mail, I could also think of locale-dependent data archives, which
are only unpacked if the user requested it (think of .mo files).
> The end looks cut off to me. Is there no epilogue?
Not yet. It's a first draft. :-)
GPG public key available from http://phobos.fs.tum.de/pgp/Simon.Richter.asc
Fingerprint: DC26 EB8D 1F35 4F44 2934 7583 DBB6 F98D 9198 3292
Hi! I'm a .signature virus! Copy me into your ~/.signature to help me spread!