Re: Bug#132767: debsum support should be mandatory
Manoj Srivastava <srivasta@debian.org> writes:
> Bingo. Without the signature on the hash file, network access is
> _required_ to do any verification. Assuming, of course, that the
> Packages file has stayed around. And that is the telling blow to
> your solution. Packages files are ephemeral.
Indeed they are -- today. Sun keeps fingerprints of all the files
they have ever released. You can give them a md5sum, and they'll tell
you which package or patch that file comes from.
Example use: I submitted "706838f45324246b3cac7c7bbeecb18c" into
http://sunsolve.sun.com/pub-cgi/fileFingerprints.pl
and got the following result:
706838f45324246b3cac7c7bbeecb18c - - 1 match(es)
canonical-path: /kernel/genunix
package: SUNWcsr
version: 11.7.0,REV=1998.09.01.04.16
architecture: sparc
source: Solaris 7/SPARC
patch: 106541-18
See also http://www.sun.com/security/blueprints/#fingerprint
Debian could supply the same service, I don't think the data storage
requirements are a problem.
But I agree with Wichert -- this needs to be done properly in the
Debian infrastructure, it doesn't make sense to do this in each
package.
Kjetil T.
Reply to: