"Theodore Ts'o" <tytso@mit.edu> writes: > Perhaps we could avoid talking past we formally had a list of > requirements, and then match possible alternative approachs with how > well they meet the agreed-upon requirements, and which requirements > proponents want to dispense with because (at least for them), It's > Just Not Worth It? Yes please! I suspect one root problem here is that people have different conflicting requirements, and everyone primarily relate to their own situation. I often work in offline mode too, but never had any problem with the download tarball approach. After 'git clone' (which require internet) the first thing I normally do is to attempt a build, and git-buildpackage download the *.orig.tar.* automatically for me. Then I leave the tarball around on my laptop and never think about it. It is rare for me to happen to have a git repository of a package around and not have its corresponding tarballs too, but workflows differ. >> If we are worried about malicious upstreams replacing tarballs, or >> man-in-the-middle attacks, I think my debian/upstream/*SUMS approach is >> a more effective solution to that problem. > > Maybe... if there were tools that made it super easy to validate the > tarball against the *SUMS files without needing to unpack the tarball > first? I think 'sha256sum -c mypackage-git-repository/debian/source/SHA256SUM' should work if you have the tarballs in the current directory. > Possibly with an inline GPG signature so we don't have to have > separate SHA256SUM and SHA256SUM.asc files? For bonus points, maybe > also a tool that validates a SHA256SUM file with a git commit id, > again without needing to do a "git checkout" first? > > I will note that this approach would break backwads compatibility with > existing Debian source packaging, right? That is, you're proposing > that the debian/usptream/*SUMS file would replace the > *.orig.tar.gz.asc file? I don't think that works: the nice thing with *.orig.tar.gz.asc is that we get upstream's signature file into Debian, allowing users to follow the audit trail back to upstream. My primary motivation is to make it possible to record under debian/ the intended (by the package maintainer) checksums of the *.orig.tar.* and (when they are different) upstream tarballs. We don't have any way to record that in debian/ today, I think. The only record of this is indirectly with the maintainer signing the *.changes file during package upload. But that is weak (only successfully uploaded packages are protected, not work-in-progress) and not widely audited (*.changes files aren't stored forever, or are they?). /Simon
Attachment:
signature.asc
Description: PGP signature