Re: Bug#132767: debsum support should be mandatory
>>"Jason" == Jason Gunthorpe <jgg@debian.org> writes:
Jason> debsums is a poor and incomplete solution. The best thing is
Jason> to have dpkg compute+store the same data when the package is
Jason> unpacked on the fly. Then we don't bloat the archive, the
Jason> feature can be turned on/off, etc.
There is one little flaw in this. One now has to depend on
dpkg and md5sum binaries on the target machine. Going from a machine
in an unknown state, it is not easy to transition to a known state
even when booting of secure media, unless one has a full archive of
Debian handy.
If you have a broken dpkg/md5sum on the machine, the only way
to detect that after booting from known secure media (like a cdrom
you have audited) is if the hash file were generated (and known not
to be tampered because if a cryptographic signature) on another
machine.
The bloat is probably minimal, all things considered, since
each file in a package generates about 80 bytes of raw data, and less
on compression.
manoj
--
"In the fight between you and the world, back the world." --Frank
Zappa
Manoj Srivastava <srivasta@debian.org> <http://www.debian.org/%7Esrivasta/>
1024R/C7261095 print CB D9 F4 12 68 07 E4 05 CC 2D 27 12 1D F5 E8 6E
1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C
Reply to: