[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#540215: Introduce dh_checksums

Goswin von Brederlow <goswin-v-b@web.de> writes:
>> On Wed, Mar 10, 2010 at 03:32:14PM +0100, Wouter Verhelst wrote:

>>> Having package.checksums be GPG-signed will take a significant change
>>> in our infrastructure (buildd hosts, for instance, would need to have
>>> a way to sign checksums files as well), so it's not going to happen
>>> tomorrow.

> That can be avoided by including a hash of the checksum file in the
> Packages files. That would be a relatively minor change in
> apt-ftparchive.

Having the signature only in the Packages file only solves a part of the
problem.  It's going to be very common to want to verify the integrity of
a package that's no longer current and hence no longer listed in the
Packages file.  I'd really rather see us pursue solutions that solve the
entire problem instead, including verification of the signature on
isolated *.deb files.

Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to: