On Mon, 1 Dec 2003 18:08:28 +0100, Eduard Bloch <[EMAIL PROTECTED]> said:
> AFAICS the only way to verify the contents of maintainer scripts > automaticaly is to have the binary package, verify its contents via > .changes or Release/Packages path, extract it and compare the > files. Too complicated. umm, not if it is automated at install time, when the package is present already. > I would like to see the following things happen: > - current md5sums file in control.tar.gz should contain checksums of > really all files Hard to do for conffiles. Now, if the md5sums were generated at install time, you could checksum my locally modified conffile (even if I did not accept the maintainers changes). The md5sums stored for conffiles currently are rarely any good, since the files are often modified by the admin. > - a signature of the md5sums file should be stored either in > control.tar.gz or in the ar file itself So you have to download the package itself to check the contents of the md5sum fule? Why not generate the md5sums at this point anyway? > - new dpkg version should pickup the signature files and store them > either in /var/lib/dpkg/info or in some alternative directory Or you could sign the newly generated md5sum files at install time, complete with the checksums of the locally modified conffiles, and not have to depend on knowing the key of the persons producing the Packages file. > - modify debsums to check the signature as well as maintainer > scripts' checksums ok. manoj -- I have a theory that it's impossible to prove anything, but I can't prove it. Manoj Srivastava <[EMAIL PROTECTED]> <http://www.debian.org/%7Esrivasta/> 1024R/C7261095 print CB D9 F4 12 68 07 E4 05 CC 2D 27 12 1D F5 E8 6E 1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C