Re: Bug#540215: Introduce dh_checksums

To: Wouter Verhelst <wouter@debian.org>
Cc: Russ Allbery <rra@debian.org>, debian-devel@lists.debian.org
Subject: Re: Bug#540215: Introduce dh_checksums
From: Goswin von Brederlow <goswin-v-b@web.de>
Date: Thu, 18 Mar 2010 08:35:19 +0100
Message-id: <[🔎] 87eijif5fs.fsf@frosties.localdomain>
In-reply-to: <[🔎] 20100317231806.GE15158@celtic.nixsys.be> (Wouter Verhelst's message of "Thu, 18 Mar 2010 00:18:07 +0100")
References: <[🔎] 20100310143214.GE10578@celtic.nixsys.be> <[🔎] 20100311173710.GC25679@nn.nn> <[🔎] 87aaue898o.fsf@frosties.localdomain> <[🔎] 20100312221356.GJ3902@celtic.nixsys.be> <[🔎] 87eijj7523.fsf@frosties.localdomain> <[🔎] 20100317114158.GA17583@nn.nn> <[🔎] 20100317143631.GA5556@reptile.pseudorandom.co.uk> <[🔎] 87pr32zurw.fsf@windlord.stanford.edu> <[🔎] 20100317224016.GC15158@celtic.nixsys.be> <[🔎] 87ljdqtudt.fsf@windlord.stanford.edu> <[🔎] 20100317231806.GE15158@celtic.nixsys.be>

Wouter Verhelst <wouter@debian.org> writes:

> On Wed, Mar 17, 2010 at 04:12:46PM -0700, Russ Allbery wrote:
>> Wouter Verhelst <wouter@debian.org> writes:
>> 
>> > This is not true.
>> 
>> > wouter@merkel:/org/ftp.debian.org/queue/done$ ls *ges|wc -l
>> > 28969
>> 
>> > These are only the *active* changes files, though:
>> 
>> > wouter@merkel:/org/ftp.debian.org/queue/done$ find . -name 'nbd*ges'|wc -l
>> > 898
>> 
>> > ... since no .changes file is ever thrown away:
>> 
>> > wouter@merkel:/org/ftp.debian.org/queue/done$ du -sh .
>> > 7.1G
>> 
>> > They may not be visible on the mirrors, but they are there.
>> 
>> Ah, thank you.  I didn't realize that we kept them at all.
>> 
>> Note, though, that if the concern is a cryptographically strong audit
>> trail, we could still retain a link from the original *.changes file to
>> the final package with a second (possibly signed) document archived with
>> the *.changes file listing the original and final checksums of the
>> now-signed packages.
>
> True.

False.

The changes files are signed by a human and therefor have a strong trust
level. The "was XYZ is now UVW" file would have to be automatically
signed and much less trustworthy. Esspecially if you suspect someone
broke into ftp-master and modified some debs. They would just recreate
and resign the "was XYZ is now UVW" file with the automatic archive key.

MfG
        Goswin

Reply to:

Follow-Ups:
- Re: Bug#540215: Introduce dh_checksums
  - From: Russ Allbery <rra@debian.org>

References:
- Re: Bug#540215: Introduce dh_checksums
  - From: Wouter Verhelst <wouter@debian.org>
- Re: Bug#540215: Introduce dh_checksums
  - From: Harald Braumann <harry@unheit.net>
- Re: Bug#540215: Introduce dh_checksums
  - From: Goswin von Brederlow <goswin-v-b@web.de>
- Re: Bug#540215: Introduce dh_checksums
  - From: Wouter Verhelst <wouter@debian.org>
- Re: Bug#540215: Introduce dh_checksums
  - From: Goswin von Brederlow <goswin-v-b@web.de>
- Re: Bug#540215: Introduce dh_checksums
  - From: Harald Braumann <harry@unheit.net>
- Re: Bug#540215: Introduce dh_checksums
  - From: Simon McVittie <smcv@debian.org>
- Re: Bug#540215: Introduce dh_checksums
  - From: Russ Allbery <rra@debian.org>
- Re: Bug#540215: Introduce dh_checksums
  - From: Wouter Verhelst <wouter@debian.org>
- Re: Bug#540215: Introduce dh_checksums
  - From: Russ Allbery <rra@debian.org>
- Re: Bug#540215: Introduce dh_checksums
  - From: Wouter Verhelst <wouter@debian.org>

Prev by Date: Re: Suggestions to fix #433462 (add free space info to reportbug)
Next by Date: Re: Bits from the Release Team: What should go into squeeze?
Previous by thread: Re: Bug#540215: Introduce dh_checksums
Next by thread: Re: Bug#540215: Introduce dh_checksums
Index(es):
- Date
- Thread