Re: Registering a media type for Debian binary packages ?
Le Mon, Dec 30, 2013 at 02:23:00AM +0100, Guillem Jover a écrit :
>
> This sounds great in theory, but I'm worried that in practice this
> might just make the situation worse, by making applications having
> to support not two, but three media types for undetermined periods
> of time?
>
> OTOH, this might make it clearer for developers, what's the proper
> media type to use, so I will note down to possibly prepare a draft
> for this in the coming weeks, if it ends up making sense to do it.
Hi Guillem and everybody,
I could not help giving it a try. What do you think of the following ?
(see http://www.iana.org/form/media-types for background).
Type name:
application
Subtype name:
vnd.debian.binary-package
Required parameters:
None.
Optional parameters:
None.
Encoding considerations:
binary
Security considerations:
Debian binary packages can contain arbitrary commands that will be executed
with administrator privileges during installation. It is therefore essential
to trust the origin of the package. The recommended way is to download
packages from APT (Advanced Packaging Tool) archives that are authenticated with
a trusted cryptographic key (see the manual page of apt-secure for details).
As a lesser alternative for cases where APT tools are not available, the
package should be downloaded with secured protocols such as HTTPS. There also
exists a mechanism for signing packages directly (called ‘debsigs’), but it is
not deployed.
The contents of the Debian binary packages are compressed (see the ‘deb’ manual
page for details on the format); it is therefore possible to inspect them
without actually install the package. An estimate of the uncompressed size of
the package may be available in its ‘control’ file, but it can only be trusted
if the package itself is trusted.
Since the Debian packages vehiculate programs to be installed on a computer,
the monitoring of a user's downloads over non-secured transport protocols such
as HTTP or FTP may reveal information pertaining to the user's privacy, or
suggest information related to the system's security such as the precise
version numbers of programs in use.
Interoperability considerations:
Arbitrary Debian binary packages can be installed on any system where the
‘dpkg’ package manager is used, but it is recommended to only install packages
that have been built for a given release of Debian or a Debian derivative.
Published specification:
http://manpages.debian.org/deb
Applications that use this media type:
The Debian binary packages are manipulated by system programs such as ‘dpkg’,
‘apt-get’, graphical front-ends such as ’Synaptic’ but also generic archive
decompressors such as ‘File Roller’. After downloading a package with a web
browser or after clicking on its icon, front-ends or decompressors are usually
started.
Fragment identifier:
None.
Restrictions on usage:
None.
Additional information:
Deprecated alias names for this type:
None.
Magic number(s):
Files usually start with the following string:
!<arch>
File extension(s):
deb
Macintosh file type code(s):
None.
Object Identifier(s) or OID(s):
None.
Intended usage:
Common
Have a nice day,
--
Charles Plessy
Tsurumi, Kanagawa, Japan
Reply to: