Re: Bug#540215: Introduce dh_checksums
Harald Braumann <email@example.com> writes:
> On Thu, Mar 18, 2010 at 04:52:07PM -0700, Russ Allbery wrote:
>> You add an additional ar member that contains the signed checksums of
>> all of the files in data.tar.gz, possibly another additional member
>> that contains the signed checksums for control.tar.gz, or you document
>> some convention so that you can combine both into the same signed
>> checksum document.
> Wouldn't it be simpler to just extract *sums from control.tar.gz, create
> a detached signature for it and put it in the ar archive, instead of
> extracting data.tar.gz and generating the sums a second time? Or would
> this replace dh_*sums during package build time?
I think it would replace dh_*sums during package build time and make
obsolete including md5sums in the control.tar.gz. You don't really want
the signature and checksums to be inside one of the other data members
since that breaks, as Wouter points out, the ability to remove the
signature and checksums and verify against the original *.changes file.
And there's no need to include two copies of the checksums.
> And then create a second signature over all files in the ar archive
> directly. This one would be checked before extracting the containing
> tar.gz files, and the other one would be installed along with the *sums
I think you want to checksum the underlying contents, not the *.tar.gz
files in the ar archive. As Joey can attest to from writing pristine-tar,
it's surprisingly difficult to reproduce a *.tar.gz file from its members.
Russ Allbery (firstname.lastname@example.org) <http://www.eyrie.org/~eagle/>