[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#540215: Introduce dh_checksums

On Fri, Mar 19, 2010 at 05:56:40PM -0700, Russ Allbery wrote:
> Harald Braumann <harry@unheit.net> writes:
> > On Thu, Mar 18, 2010 at 04:52:07PM -0700, Russ Allbery wrote:
> 
> >> You add an additional ar member that contains the signed checksums of
> >> all of the files in data.tar.gz, possibly another additional member
> >> that contains the signed checksums for control.tar.gz, or you document
> >> some convention so that you can combine both into the same signed
> >> checksum document.
> 
> > Wouldn't it be simpler to just extract *sums from control.tar.gz, create
> > a detached signature for it and put it in the ar archive, instead of
> > extracting data.tar.gz and generating the sums a second time? Or would
> > this replace dh_*sums during package build time?
> 
> I think it would replace dh_*sums during package build time and make
> obsolete including md5sums in the control.tar.gz.  You don't really want
> the signature and checksums to be inside one of the other data members
> since that breaks, as Wouter points out, the ability to remove the
> signature and checksums and verify against the original *.changes file.
> And there's no need to include two copies of the checksums.

There would only be one additional file, containing a detached
signature for the checksum file. No duplication of checksums and it
can easily be removed from the ar. But doing everything in one step,
like you proposed, is better anyway.

> 
> > And then create a second signature over all files in the ar archive
> > directly. This one would be checked before extracting the containing
> > tar.gz files, and the other one would be installed along with the *sums
> > file.
> 
> I think you want to checksum the underlying contents, not the *.tar.gz
> files in the ar archive.  As Joey can attest to from writing pristine-tar,
> it's surprisingly difficult to reproduce a *.tar.gz file from its members.

Misunderstanding. Forget what I said.

To include checksums for control.tar.gz, just add them to the same
checksum file, but with the paths, the files will have after package
installation (/var/lib/dpkg/...).

harry
Reply to: