On Fri, Dec 14, 2007 at 04:10:21PM +0100, Daniel Leidert wrote: > Now I know, some upstream authors automatically provide (signed) MD5 > sums together with their packages (I do for example). Is there anything > in the Debian packaging architecture to automatically get and compare > the MD5 hash of the downloaded tarball to the (signed) MD5 hash provided > by the author (besides the fact, that this should be done by the package > maintainer manually)? No, there's nothing in the archive. It's up to the maintainers to (manually) verify this. > Would it make sense to add something to the packaging infrastructure or > (maybe) to ftp.debian.org as part of the incoming process? I'm not sure that process could be easily automated. You might want to read the Strong Distribution HOWTO available at http://www.cryptnet.net/fdp/crypto/strong_distro.html to see some of the issues at hand. A possible extension to the information sent to ftp-master.debian.org (*not* ftp.debian.org since that is a mirror and not an upload queue) (defined in the .changes file) would be the signature of the orig.tar.gz tarball from upstream. And ftp-master could check that the signature (and MD5/SHA1/whatever hash) is valid (i.e. in a trusted keyring) and matches the tar file. However, that should be an *optional* extension as it is common for upstream tar balls to be repackaged (to remove non-free material, for example). And you still have to handle the "trusted" upstream keyring. Which is quite complex. ¿How do yo get keys there? ¿Who verifies them? ¿Do they have to be signed? (I've seen many upstream keys used for distribution which are unsigned, so there's no web of trust) ¿Do you do a per-project check or any key in that keyring is valid? > I could imagine to extend debian/watch to contain a search pattern for > MD5 hash files and their signature files to download them too and extend > the dpkg utilities to compare the hash in the .dsc to an existing .md5 > (and verify the this files with the signature in e.g. .md5.asc if > possible). This would mean, that these files could be only available on > the maintainers computer or upload these files along with the .dsc, ... > too. It would probably need a new keyring with the keys of upstream > projects. You are touching on several issues: * Extending debian/watch to verify signatures when downloading new upstream tarballs. That is certainly doable, as long as you specify how they are distributed or add a way to define where to retrieve the signatures from. * Extended dpkg building/extraction tools to add some new files (GPG signature). Add this if in a standard format (upstream_version.signature?) and verify them properly. > Or is there already something similar I just don't know? Not that I know of. > I first would like to hear some opinions, before I write some wishlist > report. I think it might be interesting to add these options. But you are looking at more than a single wishlist report (I see at least three, maybe four different places to change). Regards Javier
Attachment:
signature.asc
Description: Digital signature