[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: debsums for maintainer scripts

On Thu, 4 Dec 2003 12:43:18 +0100, Eduard Bloch <edi@gmx.de> said: 

>> include <hallo.h>
> * Manoj Srivastava [Wed, Dec 03 2003, 04:19:59AM]:

>> > - current md5sums file in control.tar.gz should contain checksums
>> >   of
>> >    really all files
>> Hard to do for conffiles. Now, if the md5sums were generated

> Then only add the m5sums of the control.tar.gz contents and add it
> to the list created my dh_md5sums.

	That does not help at all. I think you have missed the whole
 point: the files that determine program behaviour on the target
 system do not have checksums that can be generated from

>> at install time, you could checksum my locally modified conffile
>> (even if I did not accept the maintainers changes). The md5sums
>> stored for conffiles currently are rarely any good, since the files
>> are often modified by the admin.

> This needs more work. I think Debian should archive the original
> versions of conffiles on the target filesystem anyways - the absence
> of them is a handicap for any long-term solution.

	What good does checking the original conffiles do when they
 are not looked at by anything?

	And how exactly is 
       DPkg::Post-Invoke {
           "debsums --generate=nocheck -sp /var/cache/apt/archives";
 much more work?

>> > - new dpkg version should pickup the signature files and store
>> >   them
>> >    either in /var/lib/dpkg/info or in some alternative directory
>> Or you could sign the newly generated md5sum files at install time,
>> complete with the checksums of the locally modified conffiles, and
>> not have to depend on knowing the key of the persons producing the
>> Packages file.

> But then you depend on a key that has stored on the local system -
> and I am not sure whom the user should trust more when the system
> has been compromised. And, as said, it requires additional work
> during the installation.

	I think you fail to comprehend the solution I proposed. Where
 did you get the idea the key is on the local machine?


No one knows like a woman how to say things that are at once gentle
and deep. Hugo
Manoj Srivastava   <srivasta@debian.org>  <http://www.debian.org/%7Esrivasta/>
1024R/C7261095 print CB D9 F4 12 68 07 E4 05  CC 2D 27 12 1D F5 E8 6E
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C

Reply to: