Re: Registering a media type for Debian binary packages ?
Hi!
On Sun, 2014-02-02 at 22:23:02 +0900, Charles Plessy wrote:
> Security considerations:
>
> Debian binary packages can contain scripts executing arbitrary commands during
> installation, which is done with administrator privileges. It is therefore
> essential to trust the origin of the package. The recommended way is to
> download packages from Debian format archives that are
This still seems confusing, “Debian format archive” could also be
understood as referring to .debs, maybe something like “Debian format
repositories”?
Ian's suggestion clarifies, but it's not entirely accurate because the
repositories can be served with protocols other than http/ftp.
> authenticated with a trusted cryptographic key (see the manual page of
> apt-secure for details). As a lesser alternative for cases where APT tools are
> not available, the package should be downloaded with secured protocols such as
> HTTPS. There also exists a mechanism for signing packages directly (called
> ‘debsigs’), but it is not deployed.
This still talks about APT as if it was the only frontend available,
what about “… cases where secure package manager frontends (such as APT,
cupt, etc.) are not available, …”?
> However, creating a Debian binary package requires the Debian tools.
I don't agree with this wording. Using dpkg-deb to create Debian binary
packages should be recommended very strongly, but it should not be
considered a requirement.
> File extension(s):
> deb
Maybe udeb should also be mentioned here?
Thanks,
Guillem
Reply to: