Re: Bug#540215: Introduce dh_checksums

To: debian-devel@lists.debian.org
Subject: Re: Bug#540215: Introduce dh_checksums
From: Russ Allbery <rra@debian.org>
Date: Thu, 11 Mar 2010 20:33:47 -0800
Message-id: <[🔎] 87wrxi6tw4.fsf@windlord.stanford.edu>
In-reply-to: <[🔎] 87aaue898o.fsf@frosties.localdomain> (Goswin von Brederlow's message of "Fri, 12 Mar 2010 05:16:55 +0100")
References: <[🔎] 20100303020620.GA17083@celtic.nixsys.be> <[🔎] 874okyuov4.fsf@windlord.stanford.edu> <[🔎] 20100303151752.835b34d3.erikd@mega-nerd.com> <[🔎] 20100303104725.GA18778@celtic.nixsys.be> <[🔎] slrnhosifd.rmi.trash@kelgar.0x539.de> <[🔎] 1267650344.8266.262.camel@solid.paris.klabs.be> <[🔎] 87bpf3vrai.fsf@qurzaw.linpro.no> <[🔎] 1268066168.21347.9661.camel@solid.paris.klabs.be> <[🔎] 87wrxmbkdn.fsf@windlord.stanford.edu> <[🔎] 20100310143214.GE10578@celtic.nixsys.be> <[🔎] 20100311173710.GC25679@nn.nn> <[🔎] 87aaue898o.fsf@frosties.localdomain>

Goswin von Brederlow <goswin-v-b@web.de> writes:
>> On Wed, Mar 10, 2010 at 03:32:14PM +0100, Wouter Verhelst wrote:

>>> Having package.checksums be GPG-signed will take a significant change
>>> in our infrastructure (buildd hosts, for instance, would need to have
>>> a way to sign checksums files as well), so it's not going to happen
>>> tomorrow.

> That can be avoided by including a hash of the checksum file in the
> Packages files. That would be a relatively minor change in
> apt-ftparchive.

Having the signature only in the Packages file only solves a part of the
problem.  It's going to be very common to want to verify the integrity of
a package that's no longer current and hence no longer listed in the
Packages file.  I'd really rather see us pursue solutions that solve the
entire problem instead, including verification of the signature on
isolated *.deb files.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to:

References:
- md5sums files
  - From: Wouter Verhelst <wouter@debian.org>
- Re: md5sums files
  - From: Russ Allbery <rra@debian.org>
- Re: md5sums files
  - From: Erik de Castro Lopo <erikd@mega-nerd.com>
- Re: md5sums files
  - From: Wouter Verhelst <wouter@debian.org>
- Re: md5sums files
  - From: Philipp Kern <trash@philkern.de>
- Re: md5sums files
  - From: Frank Lin PIAT <fpiat@klabs.be>
- Re: md5sums files
  - From: Tollef Fog Heen <tfheen@err.no>
- Bug#540215: Introduce dh_checksums
  - From: Frank Lin PIAT <fpiat@klabs.be>
- Re: Bug#540215: Introduce dh_checksums
  - From: Russ Allbery <rra@debian.org>
- Re: Bug#540215: Introduce dh_checksums
  - From: Wouter Verhelst <wouter@debian.org>
- Re: Bug#540215: Introduce dh_checksums
  - From: Harald Braumann <harry@unheit.net>
- Re: Bug#540215: Introduce dh_checksums
  - From: Goswin von Brederlow <goswin-v-b@web.de>

Prev by Date: Re: Bug#540215: Introduce dh_checksums
Next by Date: Re: Weather forecast through applet not available in Europe?
Previous by thread: Re: Bug#540215: Introduce dh_checksums
Next by thread: Re: Bug#540215: Introduce dh_checksums
Index(es):
- Date
- Thread