[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: debsums for maintainer scripts

On Mon, 1 Dec 2003 18:08:28 +0100, Eduard Bloch <edi@gmx.de> said: 

> AFAICS the only way to verify the contents of maintainer scripts
> automaticaly is to have the binary package, verify its contents via
> .changes or Release/Packages path, extract it and compare the
> files. Too complicated.

	umm, not if it is automated at install time, when the package
 is present already.

> I would like to see the following things happen:

> - current md5sums file in control.tar.gz should contain checksums of
>    really all files

	Hard to do for conffiles. Now, if the md5sums were generated
 at install time, you could checksum my locally modified conffile
 (even if I did not accept the maintainers changes). The md5sums
 stored for conffiles currently are rarely any good, since the files
 are often modified by the admin.

> - a signature of the md5sums file should be stored either in
>    control.tar.gz or in the ar file itself

	So you have to download the package itself to check the
 contents of the md5sum fule? Why not generate the md5sums at this
 point anyway?

> - new dpkg version should pickup the signature files and store them
>    either in /var/lib/dpkg/info or in some alternative directory

	Or you could sign the newly generated md5sum files at install
 time, complete with the checksums of the locally modified conffiles,
 and not have to depend on knowing the key of the persons producing
 the Packages file.

> - modify debsums to check the signature as well as maintainer
>    scripts' checksums


I have a theory that it's impossible to prove anything, but I can't
prove it.
Manoj Srivastava   <srivasta@debian.org>  <http://www.debian.org/%7Esrivasta/>
1024R/C7261095 print CB D9 F4 12 68 07 E4 05  CC 2D 27 12 1D F5 E8 6E
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C

Reply to: