[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: dpkg-sig support wanted?

Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de> wrote:

> Anthony Towns <aj@azure.humbug.org.au> writes:
>
>> deb after upload would make it much more difficult to check the deb was
>> what was uploaded -- you can no longer just use md5sum, you've instead
>> got to use special tools.
>
> So? Is that so bad?
>
> Also so far nothing is changing debs after upload. The deb signatures
> so far are all done prior to uploading and even changes file
> generation. Only a dinstall signature would change that, making the
> changes file less easy to verify while keeping everything else the
> same.

If such a signature mechanism is implemented, dinstall could also append
a copy of the filelist, with updated md5sums.  I'm not familiar with the
ar format, but can one restore the old md5sum when you unpack the deb,
remove the additional signature, and re-ar it?

Regards, Frank
-- 
Frank Küster
Inst. f. Biochemie der Univ. Zürich
Debian Developer
Reply to: