Re: debsums for maintainer scripts
On Thu, 4 Dec 2003 12:43:18 +0100, Eduard Bloch <firstname.lastname@example.org> said:
>> include <hallo.h>
> * Manoj Srivastava [Wed, Dec 03 2003, 04:19:59AM]:
>> > - current md5sums file in control.tar.gz should contain checksums
>> > of
>> > really all files
>> Hard to do for conffiles. Now, if the md5sums were generated
> Then only add the m5sums of the control.tar.gz contents and add it
> to the list created my dh_md5sums.
That does not help at all. I think you have missed the whole
point: the files that determine program behaviour on the target
system do not have checksums that can be generated from
>> at install time, you could checksum my locally modified conffile
>> (even if I did not accept the maintainers changes). The md5sums
>> stored for conffiles currently are rarely any good, since the files
>> are often modified by the admin.
> This needs more work. I think Debian should archive the original
> versions of conffiles on the target filesystem anyways - the absence
> of them is a handicap for any long-term solution.
What good does checking the original conffiles do when they
are not looked at by anything?
And how exactly is
"debsums --generate=nocheck -sp /var/cache/apt/archives";
much more work?
>> > - new dpkg version should pickup the signature files and store
>> > them
>> > either in /var/lib/dpkg/info or in some alternative directory
>> Or you could sign the newly generated md5sum files at install time,
>> complete with the checksums of the locally modified conffiles, and
>> not have to depend on knowing the key of the persons producing the
>> Packages file.
> But then you depend on a key that has stored on the local system -
> and I am not sure whom the user should trust more when the system
> has been compromised. And, as said, it requires additional work
> during the installation.
I think you fail to comprehend the solution I proposed. Where
did you get the idea the key is on the local machine?
No one knows like a woman how to say things that are at once gentle
and deep. Hugo
Manoj Srivastava <email@example.com> <http://www.debian.org/%7Esrivasta/>
1024R/C7261095 print CB D9 F4 12 68 07 E4 05 CC 2D 27 12 1D F5 E8 6E
1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C