Re: debsums for maintainer scripts

[Eduard Bloch <edi@gmx.de>]

#include <hallo.h>
* Manoj Srivastava [Wed, Dec 03 2003, 04:19:59AM]:

> > - current md5sums file in control.tar.gz should contain checksums of
> >    really all files
> 
> 	Hard to do for conffiles. Now, if the md5sums were generated

Then only add the m5sums of the control.tar.gz contents and add it to
the list created my dh_md5sums.

>  at install time, you could checksum my locally modified conffile
>  (even if I did not accept the maintainers changes). The md5sums
>  stored for conffiles currently are rarely any good, since the files
>  are often modified by the admin.

This needs more work. I think Debian should archive the original
versions of conffiles on the target filesystem anyways - the absence of
them is a handicap for any long-term solution.

> > - a signature of the md5sums file should be stored either in
> >    control.tar.gz or in the ar file itself
> 
> 	So you have to download the package itself to check the
>  contents of the md5sum fule? Why not generate the md5sums at this
>  point anyway?

Or they can be stored in the Extended-Contents-* files (or such) in the
archive for random access, see the original mail and others.

> > - new dpkg version should pickup the signature files and store them
> >    either in /var/lib/dpkg/info or in some alternative directory
> 
> 	Or you could sign the newly generated md5sum files at install
>  time, complete with the checksums of the locally modified conffiles,
>  and not have to depend on knowing the key of the persons producing
>  the Packages file.

But then you depend on a key that has stored on the local system - and I
am not sure whom the user should trust more when the system has been
compromised. And, as said, it requires additional work during the
installation.

MfG,
Edurd.
-- 
Die besten Reformer, die die Welt je gesehen hat, sind jene, die bei
sich selbst anfangen.
		-- George Bernard Shaw