Re: Debian (would like) to do list
On Mon, 29 Jul 2002 00:06:04 +0900 (JST)
Oohara Yuuma <firstname.lastname@example.org> wrote:
> On Fri, 26 Jul 2002 16:07:41 -0500 (CDT),
> Drew Scott Daniels <umdanie8@cc.UManitoba.CA> wrote:
> > Packages being signed by multiple people and allowing users to assign
> > trust levels (checked before installing an upgrade) to people could
> > improve security.
> I wonder how this can be achieved. The signature should be a detached
> signature to .deb (or tarballs in it). How do you audit .deb? Yes,
> I can unpack it with dpkg (or ar and tar), but what if it contains some
> ELF executable? At least I don't know assembly language, and don't say
> Debian supports 11 architectures so there is 11 kinds of assembly
> language. Note that rebuilding the package does not necessarily produce
> .deb with the same md5sum unless it has very strict build-dependency.
We could add another file(s) inside the ar archive that has signatures of
the MD5sum (or SHA1) and file size of the data.tar.gz and control.tar.gz
It would need a way to indicate the binary package has changed (signature
added) but nothing else had changed... that could get messy.
To UNSUBSCRIBE, email to email@example.com
with a subject of "unsubscribe". Trouble? Contact firstname.lastname@example.org