Re: Bug#540215: Introduce dh_checksums

To: Wouter Verhelst <wouter@debian.org>
Cc: Goswin von Brederlow <goswin-v-b@web.de>, debian-devel@lists.debian.org
Subject: Re: Bug#540215: Introduce dh_checksums
From: Goswin von Brederlow <goswin-v-b@web.de>
Date: Wed, 17 Mar 2010 08:58:28 +0100
Message-id: <[🔎] 87eijj7523.fsf@frosties.localdomain>
In-reply-to: <[🔎] 20100312221356.GJ3902@celtic.nixsys.be> (Wouter Verhelst's message of "Fri, 12 Mar 2010 23:13:56 +0100")
References: <[🔎] 20100303151752.835b34d3.erikd@mega-nerd.com> <[🔎] 20100303104725.GA18778@celtic.nixsys.be> <[🔎] slrnhosifd.rmi.trash@kelgar.0x539.de> <[🔎] 1267650344.8266.262.camel@solid.paris.klabs.be> <[🔎] 87bpf3vrai.fsf@qurzaw.linpro.no> <[🔎] 1268066168.21347.9661.camel@solid.paris.klabs.be> <[🔎] 87wrxmbkdn.fsf@windlord.stanford.edu> <[🔎] 20100310143214.GE10578@celtic.nixsys.be> <[🔎] 20100311173710.GC25679@nn.nn> <[🔎] 87aaue898o.fsf@frosties.localdomain> <[🔎] 20100312221356.GJ3902@celtic.nixsys.be>

Wouter Verhelst <wouter@debian.org> writes:

> On Fri, Mar 12, 2010 at 05:16:55AM +0100, Goswin von Brederlow wrote:
>> Harald Braumann <harry@unheit.net> writes:
>> 
>> > On Wed, Mar 10, 2010 at 03:32:14PM +0100, Wouter Verhelst wrote:
>> >>
>> >> Having package.checksums be GPG-signed will take a significant change in
>> >> our infrastructure (buildd hosts, for instance, would need to have a way
>> >> to sign checksums files as well), so it's not going to happen
>> >> tomorrow.
>> 
>> That can be avoided by including a hash of the checksum file in the
>> Packages files.
>
> That doesn't help for the problem we're trying to fix here: having a
> path to a GPG signature from an individual binary on the hard disk,
> months or years after the package was installed.
>
> With your proposal, you lose the signatures once the package is out of
> the archive and you run 'apt-get update'.

Then don't do that. :)

I don't think signing the checksum file itself will be feasable as that
would alter the contents of the deb and change the checksums in the
changes files autobuilders send the admin for signing. It would break
the existing signing infrastructure for autobuilders. It would also
require running dpkg-genchanges again during signing or otherwise adjust
the checksums in the changes file.

But for packages no longer in the archive there is snapshot.debian.net
(or the official replacement).

MfG
        Goswin

Reply to:

Follow-Ups:
- Re: Bug#540215: Introduce dh_checksums
  - From: Wouter Verhelst <w@uter.be>
- Re: Bug#540215: Introduce dh_checksums
  - From: Harald Braumann <harry@unheit.net>

References:
- Re: md5sums files
  - From: Erik de Castro Lopo <erikd@mega-nerd.com>
- Re: md5sums files
  - From: Wouter Verhelst <wouter@debian.org>
- Re: md5sums files
  - From: Philipp Kern <trash@philkern.de>
- Re: md5sums files
  - From: Frank Lin PIAT <fpiat@klabs.be>
- Re: md5sums files
  - From: Tollef Fog Heen <tfheen@err.no>
- Bug#540215: Introduce dh_checksums
  - From: Frank Lin PIAT <fpiat@klabs.be>
- Re: Bug#540215: Introduce dh_checksums
  - From: Russ Allbery <rra@debian.org>
- Re: Bug#540215: Introduce dh_checksums
  - From: Wouter Verhelst <wouter@debian.org>
- Re: Bug#540215: Introduce dh_checksums
  - From: Harald Braumann <harry@unheit.net>
- Re: Bug#540215: Introduce dh_checksums
  - From: Goswin von Brederlow <goswin-v-b@web.de>
- Re: Bug#540215: Introduce dh_checksums
  - From: Wouter Verhelst <wouter@debian.org>

Prev by Date: Bug#574256: ITP: pygccxml - specialized XML reader reads the output from gccxml
Next by Date: Bug#574274: ITP: atspiuiasource -- At-spi UIA source
Previous by thread: Re: Bug#540215: Introduce dh_checksums
Next by thread: Re: Bug#540215: Introduce dh_checksums
Index(es):
- Date
- Thread