On Thu, Apr 15, 2010 at 05:14:39PM +0200, Raphael Hertzog wrote:
> > > On Tue, 23 Mar 2010, Wouter Verhelst wrote:
> > > > The idea would be to provide a path from a binary on disk to a GPG
> > > > signature for installed packages of which the user no longer has the
> > > > .deb file from which it was originally installed, nor the Packages
> > > > and/or Release.gpg file that was used to download it.
<snip>
> Hu?! Retrieving the SHA1 checksum is done by running "sha1sum
> /the/file"... I don't see what dpkg would bring here. Furthermore,
> the content of a file might not change at each release which means it's
> not a one-to-one mapping but a one-to-many mapping.
The scenario suggested by Wouter quote above is that the user has
deleted *part* of an installed package (e.g. a mistaken "rm" somewhere
under /usr/share/package/), but she no longer has the corresponding
.deb. Under that assumption, while the user can "sha1sum /the/file", she
can no longer "sha1sum /the/.deb"; so there is no way to lookup
snapshot.d.o to retrieve the .deb.
It is my understanding that achieving the goal that you and Wouter
agreed upon would provide the step "/the/file" -->> checksum of the
owning .deb. If this is the case, the circle is closed.
> I'm really confused at what you were trying to suggest.
Any better? (even though it is not yet clear to me what was not clear in
my post, sorry about that)
Cheers.
--
Stefano Zacchiroli -o- PhD in Computer Science \ PostDoc @ Univ. Paris 7
zack@{upsilon.cc,pps.jussieu.fr,debian.org} -<>- http://upsilon.cc/zack/
Dietro un grande uomo c'è ..| . |. Et ne m'en veux pas si je te tutoie
sempre uno zaino ...........| ..: |.... Je dis tu à tous ceux que j'aime
Attachment:
signature.asc
Description: Digital signature