Re: debsums for maintainer scripts

To: Debian Devel <debian-devel@lists.debian.org>
Cc: debsums@packages.debian.org
Subject: Re: debsums for maintainer scripts
From: Manoj Srivastava <srivasta@debian.org>
Date: Thu, 04 Dec 2003 11:22:21 -0600
Message-id: <[🔎] 87smk07b1u.fsf@glaurung.green-gryphon.com>
Mail-followup-to: Debian Devel <debian-devel@lists.debian.org>, debsums@packages.debian.org
In-reply-to: <[🔎] 20031204114318.GA4393@zombie.inka.de> (Eduard Bloch's message of "Thu, 4 Dec 2003 12:43:18 +0100")
References: <[🔎] 8765h0mzk1.fsf@mrvn.homelinux.org> <[🔎] 3FCB50A2.90907@beamnet.de> <[🔎] 20031201161124.GA21059@complete.org> <[🔎] 20031201170828.GA17611@zombie.inka.de> <[🔎] 87k75eb3u8.fsf@glaurung.green-gryphon.com> <[🔎] 20031204114318.GA4393@zombie.inka.de>

On Thu, 4 Dec 2003 12:43:18 +0100, Eduard Bloch <edi@gmx.de> said: 

>> include <hallo.h>
> * Manoj Srivastava [Wed, Dec 03 2003, 04:19:59AM]:

>> > - current md5sums file in control.tar.gz should contain checksums
>> >   of
>> >    really all files
>>
>> Hard to do for conffiles. Now, if the md5sums were generated

> Then only add the m5sums of the control.tar.gz contents and add it
> to the list created my dh_md5sums.

	That does not help at all. I think you have missed the whole
 point: the files that determine program behaviour on the target
 system do not have checksums that can be generated from
 control.tar.gz. 

>> at install time, you could checksum my locally modified conffile
>> (even if I did not accept the maintainers changes). The md5sums
>> stored for conffiles currently are rarely any good, since the files
>> are often modified by the admin.

> This needs more work. I think Debian should archive the original
> versions of conffiles on the target filesystem anyways - the absence
> of them is a handicap for any long-term solution.

	What good does checking the original conffiles do when they
 are not looked at by anything?

	And how exactly is 
       DPkg::Post-Invoke {
           "debsums --generate=nocheck -sp /var/cache/apt/archives";
       };
 much more work?



>> > - new dpkg version should pickup the signature files and store
>> >   them
>> >    either in /var/lib/dpkg/info or in some alternative directory
>>
>> Or you could sign the newly generated md5sum files at install time,
>> complete with the checksums of the locally modified conffiles, and
>> not have to depend on knowing the key of the persons producing the
>> Packages file.

> But then you depend on a key that has stored on the local system -
> and I am not sure whom the user should trust more when the system
> has been compromised. And, as said, it requires additional work
> during the installation.

	I think you fail to comprehend the solution I proposed. Where
 did you get the idea the key is on the local machine?

	manoj

-- 
No one knows like a woman how to say things that are at once gentle
and deep. Hugo
Manoj Srivastava   <srivasta@debian.org>  <http://www.debian.org/%7Esrivasta/>
1024R/C7261095 print CB D9 F4 12 68 07 E4 05  CC 2D 27 12 1D F5 E8 6E
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C

Reply to:

References:
- Revival of the signed debs discussion
  - From: Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>
- Re: Revival of the signed debs discussion
  - From: Thomas Viehmann <tv@beamnet.de>
- Re: Revival of the signed debs discussion
  - From: John Goerzen <jgoerzen@complete.org>
- debsums for maintainer scripts (was: Re: Revival of the signed debs discussion)
  - From: Eduard Bloch <edi@gmx.de>
- Re: debsums for maintainer scripts
  - From: Manoj Srivastava <srivasta@debian.org>
- Re: debsums for maintainer scripts
  - From: Eduard Bloch <edi@gmx.de>

Prev by Date: Re: debsums for maintainer scripts
Next by Date: Re: Debian packages and freedesktop.org (Gnome, KDE, etc) menu entries
Previous by thread: Re: debsums for maintainer scripts
Next by thread: Re: Revival of the signed debs discussion
Index(es):
- Date
- Thread