debsums for maintainer scripts (was: Re: Revival of the signed debs discussion)
John Goerzen schrieb am Monday, den 01. December 2003:
> Debsigs generates its signature by effectively cating the control and
> data components of the ar file together, running that through gpg, and
> storing the resulting signature data in a new component of the ar file.
> I did test this back in 2001 and the code caused no problem for dpkg
> extraction. In short, if a system does not use debsigs, the whole
> signature is invisible to the system tools.
Kinda off-topic but nowhere in the discussion the question of checking
already installed files was adressed and it should be asked:
are there any plans to store md5sums of the maintainer scripts along
with the current one that are already created for the data.tar.gz
contents? I imagine an attacker to place a time bomb into a prerm script
of an installed package and wait for his next chance.
AFAICS the only way to verify the contents of maintainer scripts
automaticaly is to have the binary package, verify its contents via
.changes or Release/Packages path, extract it and compare the files. Too
I would like to see the following things happen:
- current md5sums file in control.tar.gz should contain
checksums of really all files
- a signature of the md5sums file should be stored either in
control.tar.gz or in the ar file itself
- new dpkg version should pickup the signature files and store them
either in /var/lib/dpkg/info or in some alternative directory
- modify debsums to check the signature as well as maintainer scripts'
Any additions, comments, etc.?
Was kann schon auf dem harten Boden der Tatsachen gedeihen.
-- Stanislaw Jerzy Lec (eig. S. J. de Tusch-Letz)