[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#540215: Introduce dh_checksums

On Thu, Apr 15, 2010 at 04:04:51PM +0200, Goswin von Brederlow wrote:

> The checksum file could be attached as additional member in the
> .deb. And a signature could be a signed file containing the checksum
> size and name of all members of a .deb preceeding the signature. That
> way the signature can verify the deb itself or individual members, like
> the checksum file, in the .deb. Just a thought.

I'm not sure, how you mean that exactly. But the signature must be
over the checksum file, nothing more and nothing less. Otherwise
you won't be able to verify the checksum file.

Also I think it's really a very bad idea in general to mix multiple
different things into one signature. The one thing is a signature over
installed files (via the checksum file). The other is a signature over
a package. The two are completely orthogonal and serve different
purposes.

harry
Reply to: