On Thu, 4 Dec 2003 12:43:18 +0100, Eduard Bloch <[EMAIL PROTECTED]> said:
>> include <hallo.h> > * Manoj Srivastava [Wed, Dec 03 2003, 04:19:59AM]: >> > - current md5sums file in control.tar.gz should contain checksums >> > of >> > really all files >> >> Hard to do for conffiles. Now, if the md5sums were generated > Then only add the m5sums of the control.tar.gz contents and add it > to the list created my dh_md5sums. That does not help at all. I think you have missed the whole point: the files that determine program behaviour on the target system do not have checksums that can be generated from control.tar.gz. >> at install time, you could checksum my locally modified conffile >> (even if I did not accept the maintainers changes). The md5sums >> stored for conffiles currently are rarely any good, since the files >> are often modified by the admin. > This needs more work. I think Debian should archive the original > versions of conffiles on the target filesystem anyways - the absence > of them is a handicap for any long-term solution. What good does checking the original conffiles do when they are not looked at by anything? And how exactly is DPkg::Post-Invoke { "debsums --generate=nocheck -sp /var/cache/apt/archives"; }; much more work? >> > - new dpkg version should pickup the signature files and store >> > them >> > either in /var/lib/dpkg/info or in some alternative directory >> >> Or you could sign the newly generated md5sum files at install time, >> complete with the checksums of the locally modified conffiles, and >> not have to depend on knowing the key of the persons producing the >> Packages file. > But then you depend on a key that has stored on the local system - > and I am not sure whom the user should trust more when the system > has been compromised. And, as said, it requires additional work > during the installation. I think you fail to comprehend the solution I proposed. Where did you get the idea the key is on the local machine? manoj -- No one knows like a woman how to say things that are at once gentle and deep. Hugo Manoj Srivastava <[EMAIL PROTECTED]> <http://www.debian.org/%7Esrivasta/> 1024R/C7261095 print CB D9 F4 12 68 07 E4 05 CC 2D 27 12 1D F5 E8 6E 1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C