[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#268658: proposed release goal: DEBIAN/md5sums for all packages



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Javier Fernández-Sanguino Peña ha scritto:
> On Mon, Aug 27, 2007 at 12:04:51PM +0200, A Mennucc wrote:
> I think I already pointed people interested in this to #268658.
> If ftpmasters where given the tools to implement this seamlessly then you
> could have aside tools that downloaded that file from the FTP site, and
> locally checked the md5sums.
> 

AFAICS in bug 268658 you propose to ship a signed 'Checksums-${ARCH}.gz'
with releases.

What I had in mind was slightly broader, though.

What I have in mind is a database containing all checksums of all binary
packages passing trough unstable, with records such as
   package / arch / version / file / permissions / md5 / sha1 ....

The 'Checksums-${ARCH}.gz' that you mention in 268658 may be generated
from this database at release time; but also the database would be
useful for people using tracking testing and unstable. The database may
have web interface, and/or a LDAP interface (with cryptographic
protection), so it may be searched. When doing forensic, it would be
useful to search it using the hash as a key.

Again, following your reasoning in 268658, I would then add a link to
the web interface in packages pages such as
http://packages.debian.org/testing/base/procps

But you are definitely right on one point: records should be added by a
script inside the incoming queue.

a.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFG1I0R9B/tjjP8QKQRAr2BAJ4/dRWnUX8W6SRF+Uy9QqTd127uQACePtGH
1gprvSqm26Z7t5zepFpEkYI=
=1IVv
-----END PGP SIGNATURE-----



Reply to: