Manipulated squirrelmail download archives - how to detect such cases automatically in the Debian packaging process?
Hello,
Maybe some of you already noticed it: Seems, some of the squirrelmail
archives have been manipulated [1]. I've downloaded the package source
and compared the md5sum of the .tar.gz to the ones provided by the
squirrelmail developers and it seems, we have one of the original
tarballs.
Now I know, some upstream authors automatically provide (signed) MD5
sums together with their packages (I do for example). Is there anything
in the Debian packaging architecture to automatically get and compare
the MD5 hash of the downloaded tarball to the (signed) MD5 hash provided
by the author (besides the fact, that this should be done by the package
maintainer manually)?
Would it make sense to add something to the packaging infrastructure or
(maybe) to ftp.debian.org as part of the incoming process?
I could imagine to extend debian/watch to contain a search pattern for
MD5 hash files and their signature files to download them too and extend
the dpkg utilities to compare the hash in the .dsc to an existing .md5
(and verify the this files with the signature in e.g. .md5.asc if
possible). This would mean, that these files could be only available on
the maintainers computer or upload these files along with the .dsc, ...
too. It would probably need a new keyring with the keys of upstream
projects.
Or is there already something similar I just don't know?
I first would like to hear some opinions, before I write some wishlist
report.
[1] http://www.squirrelmail.org -> "SECURITY: 1.4.12 Package Compromise"
Regards, Daniel
Reply to: