Compromise for md5sum files [Was: Re: debsums for maintainer scripts]
how about the following compromise:
Instead of having a md5sums file inside the control.tar.gz the md5sums
file is added to the end deb archive as "md5sums". The file would
contain a sorted list of all files in data.tar.gz _and_ control.tar.gz
(moved into /var/lib/dpkg/info where they end up). (The md5sums file
would be generated by dpkg-deb and dh_md5sums would be made a dummy
saying its deprecated and removed from all sources over time.)
The debsums package (or dpkg directly) adds an option to keep the
md5sums file around or not. Which of the 2 should be the default
remains to be discussed (if debsums adds it it would be default to on,
if you don't want it purge debsums).
The md5sum of the md5sums file is added to the changes file (signed by
the maintainer) and to the Packages file by dinstall. It will also be
signed by debsigs.
Can everyone live with that?