Re: Bug#540215: Introduce dh_checksums
On Sat, Mar 20, 2010 at 06:13:14AM -0700, Russ Allbery wrote:
> Yeah, that would be one such convention. I don't know if that's better or
> if adding a prefix of data: and control: to the path names would be
> better. My guess is that the latter may be a bit more flexible for
> possible long-term changes, like adding other deb members later for some
> reason that we want to sign.
But aren't we talking about checksums of installed files here? So
after package installation I'd like to have the file as
/var/lib/dpkg/info/<packag>.checksums, just like the md5sums now, only
that it's signed (preferably with a detached signature). This file has
to be included verbatim in the package. You can't strip the
data:/control: prefix on installation, as this would invalidate the
signature. And it shouldn't be installed containing these prefixes,
because then you can't use standard-tools to verify the checksums.
If other stuff should be added later, for instance debsigs like
signatures, then additional files can be added to the deb. I don't
think it's wise trying to define a catch-all format now and I don't
see why arbitray additional files for further extensions couldn't be
added to the deb later. All these files could be packed together in,
say, security.tar.gz, so you can always remove this single member from
the ar to get the classic deb.