[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Manipulated squirrelmail download archives - how to detect such cases automatically in the Debian packaging process?

On Fri, Dec 14, 2007 at 04:10:21PM +0100, Daniel Leidert wrote:
> Now I know, some upstream authors automatically provide (signed) MD5
> sums together with their packages (I do for example). Is there anything
> in the Debian packaging architecture to automatically get and compare
> the MD5 hash of the downloaded tarball to the (signed) MD5 hash provided
> by the author (besides the fact, that this should be done by the package
> maintainer manually)?

No, there's nothing in the archive. It's up to the maintainers to (manually)
verify this. 

> Would it make sense to add something to the packaging infrastructure or
> (maybe) to ftp.debian.org as part of the incoming process?

I'm not sure that process could be easily automated. You might want to 
read the Strong Distribution HOWTO available at
to see some of the issues at hand.

A possible extension to the information sent to ftp-master.debian.org (*not*
ftp.debian.org since that is a mirror and not an upload queue) (defined in
the .changes file) would be the signature of the orig.tar.gz tarball from
upstream. And ftp-master could check that the signature (and
MD5/SHA1/whatever hash) is valid (i.e. in a trusted keyring) and matches the
tar file.

However, that should be an *optional* extension as it is common for upstream
tar balls to be repackaged (to remove non-free material, for example). 

And you still have to handle the "trusted" upstream keyring. Which is
quite complex. ¿How do yo get keys there? ¿Who verifies them? ¿Do they have
to be signed? (I've seen many upstream keys used for distribution which are 
unsigned, so there's no web of trust) ¿Do you do a per-project check or any
key in that keyring is valid?

> I could imagine to extend debian/watch to contain a search pattern for
> MD5 hash files and their signature files to download them too and extend
> the dpkg utilities to compare the hash in the .dsc to an existing .md5
> (and verify the this files with the signature in e.g. .md5.asc if
> possible). This would mean, that these files could be only available on
> the maintainers computer or upload these files along with the .dsc, ...
> too. It would probably need a new keyring with the keys of upstream
> projects.

You are touching on several issues:

 * Extending debian/watch to verify signatures when downloading new upstream
   tarballs. That is certainly doable, as long as you specify how they
   are distributed or add a way to define where to retrieve the signatures

 * Extended dpkg building/extraction tools to add some new files (GPG
   signature). Add this if in a standard format (upstream_version.signature?)
   and verify them properly.

> Or is there already something similar I just don't know?

Not that I know of.

> I first would like to hear some opinions, before I write some wishlist
> report.

I think it might be interesting to add these options. But you are looking at
more than a single wishlist report (I see at least three, maybe four
different places to change).



Attachment: signature.asc
Description: Digital signature

Reply to: