Re: MD5sum in Packages (was: No ldd?)
George Bonser <grep@shorelink.com> writes:
>Note that I am using the apt method of dselect using the round-robin
>mirrors so I have no idea which site I was really connected to when I got
>the bad .deb
Does apt check the MD5sum of the package against that in the Packages
file? Does dpkg do that (I suppose not, since I don't think it reads
Packages files)?
If neither of them do, shouldn't one of them do it? Which one? (I.e.
against which package should I send a bug report? :))
Another idea for a new feature in the packaging system:
I think it would be a good thing to include a PGP or GPG signature of
the Packages file in the distribution. This could be automatically
generated (filename Packages.sig or something) by whatever adds
packages to ftp.debian.org. Someone could generate a key for it, and
add the key to debian-keyring, perhaps signed by a couple of
maintainers.
The signature should simply validate that the Packages file is
identical to that on ftp.debian.org; that is, it is unmodified from an
official Debian distribution.
Of course, it would also be nice if something checked the signature
automatically; apt could do this after downloading the Packages file,
or dpkg --update-avail could do it, if given access to the signature
somehow.
Just an idea...
(I don't read debian-devel, so if you want to say something to me,
mail to debian-user or to me directly.)
--
-=- Rjs -=- rjs@lloke.dna.fi
Reply to: