[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#540215: Introduce dh_checksums

On Thu, Mar 18, 2010 at 04:52:07PM -0700, Russ Allbery wrote:
> You add an additional ar member that contains the signed checksums of all
> of the files in data.tar.gz, possibly another additional member that
> contains the signed checksums for control.tar.gz, or you document some
> convention so that you can combine both into the same signed checksum
> document.

That'd work pretty well, indeed. It would also have the advantage of
making it theoretically possible to reverse the addition of the
signatures again, should one want to re-verify against the original
.changes file for some reason. That's of course assuming that the
combination of "ar a" and "ar d" in whatever way dpkg does that is
idempotent, but I don't see why it couldn't be.

And as you say, this can be implemented in dak. That would have the
advantage of not requiring keys on the buildds.

So now that it's been reduced to a technical problem, who's going to do
the implementation? I'm prepared to look at a dpkg patch, but Python
just does not work for me.

> There are other implementation methods possible, but that's probably the
> most obvious one.

Yes, agreed.

The biometric identification system at the gates of the CIA headquarters
works because there's a guard with a large gun making sure no one is
trying to fool the system.

Attachment: signature.asc
Description: Digital signature

Reply to: