[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#540215: Introduce dh_checksums

Harald Braumann <harry@unheit.net> writes:
> On Sat, Mar 20, 2010 at 06:13:14AM -0700, Russ Allbery wrote:

>> Yeah, that would be one such convention.  I don't know if that's better
>> or if adding a prefix of data: and control: to the path names would be
>> better.  My guess is that the latter may be a bit more flexible for
>> possible long-term changes, like adding other deb members later for
>> some reason that we want to sign.

> But aren't we talking about checksums of installed files here? So after
> package installation I'd like to have the file as
> /var/lib/dpkg/info/<packag>.checksums, just like the md5sums now, only
> that it's signed (preferably with a detached signature). This file has
> to be included verbatim in the package. You can't strip the
> data:/control: prefix on installation, as this would invalidate the
> signature. And it shouldn't be installed containing these prefixes,
> because then you can't use standard-tools to verify the checksums.

I agree with all of that; I'm just not sure the last bit actually
matters.  It's trivial to write a tiny tool that would verify the
checksums using other tools.  But I can see the appeal, and I wouldn't
argue against using the installed path either.

Note, though, that if only installed files can be listed in the signature,
the signature doesn't cover DEBIAN/control file, which seems like a bad

Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to: