Re: Bug#540215: Introduce dh_checksums
Raphael Hertzog <hertzog@debian.org> writes:
> On Fri, 16 Apr 2010, Harald Braumann wrote:
>> On Thu, Apr 15, 2010 at 05:03:44PM +0200, Raphael Hertzog wrote:
>>
>> > Even if it creates a checksum file, someone could always hand-edit the
>> > package to add files not listed in the checksum files and we need to
>> > decide whether that's something that needs to be catched and if yes by
>> > whom and at what point.
>>
>> Do you mean a maintainer, who hand-edits a package after it was
>> built, or do you mean an adversery who has evil intentions? If the
>
> The latter.
>
>> former, then this should just be forbidden. If the latter, than this
>> can be solved by package signatures.
>
> Which one? We are discussing something that is a signature of the (content
> of the) package. And there's the signature on Release/Package which can
> authenticate the .deb in its entirety.
>
> I'm discussing the case where the signature of the "checksums" file is valid
> but that checksums file does not list all the files present in
> data.tar.gz or control.tar.gz.
The checksum file can be altered prior to the signature being added. But
so can any other part of the .deb file. We have to assume that no
adversery with evil intentions has access to the .deb prior to it being
signed. So it comes down to the maintainer not screwing up the package
prior to uploading.
The DAK can verify the validity of the signature and the completness of
the checksum file during upload if that is considered neccessary. I do
not think every user should have to do so during install. But it could
be optional with default off.
> Cheers,
MfG
Goswin
Reply to: