[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: debsums for maintainer scripts

#include <hallo.h>
* Manoj Srivastava [Wed, Dec 03 2003, 04:19:59AM]:

> > - current md5sums file in control.tar.gz should contain checksums of
> >    really all files
> 	Hard to do for conffiles. Now, if the md5sums were generated

Then only add the m5sums of the control.tar.gz contents and add it to
the list created my dh_md5sums.

>  at install time, you could checksum my locally modified conffile
>  (even if I did not accept the maintainers changes). The md5sums
>  stored for conffiles currently are rarely any good, since the files
>  are often modified by the admin.

This needs more work. I think Debian should archive the original
versions of conffiles on the target filesystem anyways - the absence of
them is a handicap for any long-term solution.

> > - a signature of the md5sums file should be stored either in
> >    control.tar.gz or in the ar file itself
> 	So you have to download the package itself to check the
>  contents of the md5sum fule? Why not generate the md5sums at this
>  point anyway?

Or they can be stored in the Extended-Contents-* files (or such) in the
archive for random access, see the original mail and others.

> > - new dpkg version should pickup the signature files and store them
> >    either in /var/lib/dpkg/info or in some alternative directory
> 	Or you could sign the newly generated md5sum files at install
>  time, complete with the checksums of the locally modified conffiles,
>  and not have to depend on knowing the key of the persons producing
>  the Packages file.

But then you depend on a key that has stored on the local system - and I
am not sure whom the user should trust more when the system has been
compromised. And, as said, it requires additional work during the

Die besten Reformer, die die Welt je gesehen hat, sind jene, die bei
sich selbst anfangen.
		-- George Bernard Shaw

Reply to: