dpkg: .deb should contain authentication data

To: submit@bugs.debian.org ( Debian bug reports)
Cc: debian-private@lists.debian.org ( Debian maintainers private list), debian-mentors@lists.debian.org ( Debian mentors list)
Subject: dpkg: .deb should contain authentication data
From: Julian Gilbey <J.D.Gilbey@qmw.ac.uk>
Date: Sun, 2 May 1999 02:45:39 +0100 (BST)
Message-id: <[🔎] E10dlK7-0000Wr-00@polya>

Package: dpkg
Version: 1.4.0.34
Severity: Important

(Important as it is a security issue that has been brought up recently
in several contexts, and we know that mirrors can be compromised.)

.debs should have an extra component in the ar archive which are
PGP-signed MD5 sums (or equivalent) of the other two sections of the
.deb archive (control and data).  Dpkg (or dpkg-deb?) should create
this part when asked to, in a way to be decided, and should be able to
check it if asked to.

Less urgent is a way of enabling users to confirm these PGP signatures
before installing the packages.

There is the obvious DFSG problem of making dpkg depend on PGP -- this
may actually be a very good opportunity to begin working towards GnuPG
by having the signatures be GnuPG ones.

   Julian

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

  Julian Gilbey, Dept of Maths, QMW, Univ. of London. J.D.Gilbey@qmw.ac.uk
             Debian GNU/Linux Developer.  jdg@debian.org
       -*- Finger jdg@master.debian.org for my PGP public key. -*-

Reply to:

Prev by Date: Re: PGP and Debian question
Next by Date: Re: coding...
Previous by thread: 2 Questions
Next by thread: Re: coding...
Index(es):
- Date
- Thread