[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian (would like) to do list

On Mon, 29 Jul 2002 00:06:04 +0900 (JST)
Oohara Yuuma <oohara@libra.interq.or.jp> wrote:

> On Fri, 26 Jul 2002 16:07:41 -0500 (CDT),
> Drew Scott Daniels <umdanie8@cc.UManitoba.CA> wrote:
> > Packages being signed by multiple people and allowing users to assign
> > trust levels (checked before installing an upgrade) to people could
> > improve security.
> I wonder how this can be achieved.  The signature should be a detached
> signature to .deb (or tarballs in it).  How do you audit .deb?  Yes,
> I can unpack it with dpkg (or ar and tar), but what if it contains some
> ELF executable?  At least I don't know assembly language, and don't say
> Debian supports 11 architectures so there is 11 kinds of assembly
> language. Note that rebuilding the package does not necessarily produce
> .deb with the same md5sum unless it has very strict build-dependency.

We could add another file(s) inside the ar archive that has signatures of
the MD5sum (or SHA1) and file size of the data.tar.gz and control.tar.gz

It would need a way to indicate the binary package has changed (signature
added) but nothing else had changed... that could get messy.


To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: