Re: MD5SUMs in debs / dpkg install hook (new thought)
Hi,
>>"Hamish" == Hamish Moffatt <hamish@debian.org> writes:
Hamish> On Fri, Dec 19, 1997 at 03:12:37PM +1300, Radu Duta wrote:
>> What I'm thinking is that maybe it should be the responsability of
>> dpkg, since it is the package manager after all. The package
>> itself works as is and there would be not much extra benefit from
>> having the md5sums in the package, though the MD5SUMs should still
>> be there. Maybe they could be calculated at installation time
>> (this would affect performace obviously), but it would be right
>> thing to do.
Hamish> Well, calculation at install time doesn't prevent somebody
Hamish> modifying the .deb (which is easy), especially in the case of
Hamish> non-official sites. Does dpkg check the MD5sum with the one in
Hamish> the Packages file or in the archive itself?
No, but writing a script to check packages off a Packages file
should be simple. I would like the installer to create a detached
signature for all the Packages files generated on master.debian.org,
with a "Debian installer" key, again, widely distributed.
Hamish> Even then you could still tamper with an archive and
Hamish> recalculate the MD5sum for the Packages file or whatever.
See above.
Hamish> The only way to be really sure is the .dsc file I guess, which
Hamish> is pgp-signed by the real author.
Hamish> I would prefer build time.
Me too, like maybe in dpkg --build or in dpkg-genchanges or
something like that.
manoj
--
When one is overcome by this wretched, clinging desire in the world,
one's sorrows increase like grass growing up after a lot of rain. 335
Manoj Srivastava <srivasta@acm.org> <http://www.datasync.com/%7Esrivasta/>
Key C7261095 fingerprint = CB D9 F4 12 68 07 E4 05 CC 2D 27 12 1D F5 E8 6E
Reply to: