Re: debsums for maintainer scripts
On Mon, 1 Dec 2003 18:08:28 +0100, Eduard Bloch <firstname.lastname@example.org> said:
> AFAICS the only way to verify the contents of maintainer scripts
> automaticaly is to have the binary package, verify its contents via
> .changes or Release/Packages path, extract it and compare the
> files. Too complicated.
umm, not if it is automated at install time, when the package
is present already.
> I would like to see the following things happen:
> - current md5sums file in control.tar.gz should contain checksums of
> really all files
Hard to do for conffiles. Now, if the md5sums were generated
at install time, you could checksum my locally modified conffile
(even if I did not accept the maintainers changes). The md5sums
stored for conffiles currently are rarely any good, since the files
are often modified by the admin.
> - a signature of the md5sums file should be stored either in
> control.tar.gz or in the ar file itself
So you have to download the package itself to check the
contents of the md5sum fule? Why not generate the md5sums at this
> - new dpkg version should pickup the signature files and store them
> either in /var/lib/dpkg/info or in some alternative directory
Or you could sign the newly generated md5sum files at install
time, complete with the checksums of the locally modified conffiles,
and not have to depend on knowing the key of the persons producing
the Packages file.
> - modify debsums to check the signature as well as maintainer
> scripts' checksums
I have a theory that it's impossible to prove anything, but I can't
Manoj Srivastava <email@example.com> <http://www.debian.org/%7Esrivasta/>
1024R/C7261095 print CB D9 F4 12 68 07 E4 05 CC 2D 27 12 1D F5 E8 6E
1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C