Re: Bug#540215: Introduce dh_checksums
Harald Braumann <firstname.lastname@example.org> writes:
> On Sat, Mar 20, 2010 at 06:13:14AM -0700, Russ Allbery wrote:
>> Yeah, that would be one such convention. I don't know if that's better
>> or if adding a prefix of data: and control: to the path names would be
>> better. My guess is that the latter may be a bit more flexible for
>> possible long-term changes, like adding other deb members later for
>> some reason that we want to sign.
> But aren't we talking about checksums of installed files here? So after
> package installation I'd like to have the file as
> /var/lib/dpkg/info/<packag>.checksums, just like the md5sums now, only
> that it's signed (preferably with a detached signature). This file has
> to be included verbatim in the package. You can't strip the
> data:/control: prefix on installation, as this would invalidate the
> signature. And it shouldn't be installed containing these prefixes,
> because then you can't use standard-tools to verify the checksums.
I agree with all of that; I'm just not sure the last bit actually
matters. It's trivial to write a tiny tool that would verify the
checksums using other tools. But I can see the appeal, and I wouldn't
argue against using the installed path either.
Note, though, that if only installed files can be listed in the signature,
the signature doesn't cover DEBIAN/control file, which seems like a bad
Russ Allbery (email@example.com) <http://www.eyrie.org/~eagle/>