[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#572571: packages SHOULD ship checksums (a-la dh_md5sums, but better)

Package: debian-policy
Severity: wishlist

[ For the full context, see the -devel thread starting at
  http://lists.debian.org/debian-devel/2010/03/msg00038.html ]

On Thu, Mar 04, 2010 at 01:12:26PM -0800, Russ Allbery wrote:
> > Russ, while we are at it, would you mind a bug report on the policy to
> > suggest (starting at SHOULD?) to store md5sums in packages?
> Not that I've had any time to work on Policy (or Lintian) in the last
> month, but that does seem reasonable to me.  It seems to be a widespread
> best practice already, and a lot of people are turning up in this thread
> to say that they find it useful.

Here we go.

Currently, packages ships file checksums which are computed at package
build time by the means of dh_md5sums (usually), and stored under
/var/lib/dpkg/info/*md5sums.  Several people find those checksums
useful, mostly for file corruption detection a-la CRC.

Empirical tests show that the archive coverage is pretty good, most
packages seem to ship those checksums.

Hence, there is a desire to turn a similar feature into, for start, a
SHOULD requirement, meant to become a MUST later on.

However, a few generality shortcomings should probably be addressed,
such as the usage of different checksumming mechanisms. Even though the
intented purpose of those checksums is not intrusion detection, it would
be nice to use stronger checksums such as sha1 and, more generally, to
not have the specific kind of checksum used carved in stone.

Thanks for considering,

Stefano Zacchiroli -o- PhD in Computer Science \ PostDoc @ Univ. Paris 7
zack@{upsilon.cc,pps.jussieu.fr,debian.org} -<>- http://upsilon.cc/zack/
Dietro un grande uomo c'è ..|  .  |. Et ne m'en veux pas si je te tutoie
sempre uno zaino ...........| ..: |.... Je dis tu à tous ceux que j'aime

Attachment: signature.asc
Description: Digital signature

Reply to: