Bug#572571: packages SHOULD ship checksums (a-la dh_md5sums, but better)

[Goswin von Brederlow <goswin-v-b@web.de>]

Stefano Zacchiroli <zack@debian.org> writes:

> Package: debian-policy
> Severity: wishlist
> Version: 3.8.4.0
>
> [ For the full context, see the -devel thread starting at
>   http://lists.debian.org/debian-devel/2010/03/msg00038.html ]
>
> On Thu, Mar 04, 2010 at 01:12:26PM -0800, Russ Allbery wrote:
>> > Russ, while we are at it, would you mind a bug report on the policy to
>> > suggest (starting at SHOULD?) to store md5sums in packages?
>> 
>> Not that I've had any time to work on Policy (or Lintian) in the last
>> month, but that does seem reasonable to me.  It seems to be a widespread
>> best practice already, and a lot of people are turning up in this thread
>> to say that they find it useful.
>
> Here we go.
>
> Currently, packages ships file checksums which are computed at package
> build time by the means of dh_md5sums (usually), and stored under
> /var/lib/dpkg/info/*md5sums.  Several people find those checksums
> useful, mostly for file corruption detection a-la CRC.
>
> Empirical tests show that the archive coverage is pretty good, most
> packages seem to ship those checksums.
>
> Hence, there is a desire to turn a similar feature into, for start, a
> SHOULD requirement, meant to become a MUST later on.
>
> However, a few generality shortcomings should probably be addressed,
> such as the usage of different checksumming mechanisms. Even though the
> intented purpose of those checksums is not intrusion detection, it would
> be nice to use stronger checksums such as sha1 and, more generally, to
> not have the specific kind of checksum used carved in stone.
>
> Thanks for considering,
> Cheers.

Repeating myself and expaning my thoughts for the sake of having it in
the BTS.

Are you sure this is something that policy must spell out? Couldn't that
be tucked into the dpkg specs, which are outside of policy?

In many packages the binary targets end with these 3 commands (or the
lowlevel equivalents):

dh_gencontrol   (dpkg-gencontrol)
dh_md5sums      (find | xargs md5sum)
dh_builddeb     (dpkg-deb)


If checksum files are to become a MUST directive then they should be
generated by dpkg as part of the lowlevel build process. Requiring every
package to build the checksum file itself is rather pointles. This could
be done as part of building the actual deb file in dpkg-deb.

I would like to propose a different mechanism though, one that also
improves the usefullness. I would propose to generate the checksum file
as part of dpkg-gencontrol. The reason for this is so that
dpkg-gencontrol can include a digest of the the checksum file
(e.g. sha256sum of the file itself) in DEBIAN/control. dpkg-genchanges
could then include that in the changes file. The end goal would be to
include the digest of the checksum file in the Packages.gz files and
therefore in the trust path. The local checksum files could then be
verified and trusted for a security check.

Either way this would be a change in dpkg and not policy directly.

MfG
        Goswin

PS: This will only work though if the filename of the checksum file is
changed so packages that call dh_md5sums after dh_gencontrol do not
overwrite the file. But that goes nicely together wih changing the
checksum algorithm to something crypographically strong.