[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

New field proposed, UUID

I'm proposing we add a new field to generated packages, and as part of
Debian policy, make them required for Debian packages. It's all very
simple, doesn't requuire any effort by the maintainers other than
upgrading dpkg-dev, and poses little side-affects (other than a small
increase in the size of the Packages file and .deb's in general).

This field would look like such:

UUID: 71dc203f-c6bb-4feb-b3c2-ca8c84e727c8

(Note UUID stands for Universally Unique IDentifier) The tool to create
this is already in e2fsprogs. Most likely we can work on moving this to
debianutils or dpkg-dev.

The reason for this is many-fold. One, it gives us a unique way to
identify a .deb exclusive of when/where/who built it, and what arch it is
on. This is different from the md5sum, because this wont change even if
the contents of the .deb changes.

Now, you may be asking "why?". The answer is very simple. We need a way to
discern packages from one another for security reasons. To invalidate a
.deb, we need a way to discern it from others, without comparing package
name, filename, version, md5sum, etc...

Sooner or later sigs will start traveling around with .deb's (that's
another discussion, save it for later, it is coming soon). When those sigs
are changed or updates by the archive maintainers or the release manager,
the md5sum of the package will change, but the UUID will remain the same.

This way we can revoke packages based on security issues, or other things.

The UUID can be generated by dpkg-gencontrol.

/  Ben Collins  --  ...on that fantastic voyage...  --  Debian GNU/Linux   \
`  bcollins@debian.org  --  bcollins@openldap.org  --  bcollins@linux.com  '

Reply to: