Bug#334536: debarchiver: Check archive integrity first, before adding packages or updating index files

2005-10-19 Thread Ola Lundqvist 
Hello

On Tue, Oct 18, 2005 at 05:33:55PM +0200, Daniel Leidert wrote:
> Package: debarchiver
> Version: 0.5.3
> Severity: wishlist
> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> Hello,
> 
> Now that we are able to create signed archives, we can think about
> adding an integrity check, which should be passed before everything
> else. Let's say, that one package is manipulated at the server. Running
> debarchiver as a cron-job currently makes it impossible to detect such a
> manipulation, because it does not check the integrity of an archive,
> before it updates the index files. So I think, we should add an integrity
> check. If the check is not successful, debarchiver should create a
> warn-mail and send it to a special address but reject all other jobs.
> 
> Does that make sense? Or is such a check maybe useless?

It makes sense to me. I currently do not have time to implement it but
patches are always welcome! :)

Regards,

// Ola

> Regards, Daniel
> 
> 
> - -- System Information:
> Debian Release: testing/unstable
>   APT prefers unstable
>   APT policy: (850, 'unstable'), (700, 'testing'), (550, 'stable'), (500, 
> 'oldstable'), (110, 'experimental')
> Architecture: i386 (i686)
> Shell:  /bin/sh linked to /bin/bash
> Kernel: Linux 2.6.12.09050927
> Locale: LANG=de_DE, LC_CTYPE=de_DE (charmap=ISO-8859-1)
> 
> Versions of packages debarchiver depends on:
> ii  adduser   3.67.2 Add and remove users and groups
> ii  apt-utils 0.6.41 APT utility programs
> ii  dpkg-dev  1.13.11package building tools for Debian
> ii  opalmod   0.1.13 A set of Perl modules for 
> various 
> 
> debarchiver recommends no packages.
> 
> - -- no debconf information
> 
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.4.2 (GNU/Linux)
> 
> iD8DBQFDVRXjdg0kG0+YFBERAuvlAJ91BPsQBHFMmg9JZjmPfhARId/HiACfX3hU
> geXDaDqX2BJc59Um8z0bGIQ=
> =vKpr
> -END PGP SIGNATURE-
> 
> 

-- 
 - Ola Lundqvist ---
/  [EMAIL PROTECTED] Annebergsslingan 37  \
|  [EMAIL PROTECTED] 654 65 KARLSTAD  |
|  +46 (0)54-10 14 30  +46 (0)70-332 1551   |
|  http://www.opal.dhs.org UIN/icq: 4912500 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36  4FE4 18A1 B1CF 0FE5 3DD9 /
 ---


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#334536: debarchiver: Check archive integrity first, before adding packages or updating index files

2005-10-18 Thread Daniel Leidert 
Package: debarchiver
Version: 0.5.3
Severity: wishlist

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hello,

Now that we are able to create signed archives, we can think about
adding an integrity check, which should be passed before everything
else. Let's say, that one package is manipulated at the server. Running
debarchiver as a cron-job currently makes it impossible to detect such a
manipulation, because it does not check the integrity of an archive,
before it updates the index files. So I think, we should add an integrity
check. If the check is not successful, debarchiver should create a
warn-mail and send it to a special address but reject all other jobs.

Does that make sense? Or is such a check maybe useless?

Regards, Daniel


- -- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (850, 'unstable'), (700, 'testing'), (550, 'stable'), (500, 
'oldstable'), (110, 'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12.09050927
Locale: LANG=de_DE, LC_CTYPE=de_DE (charmap=ISO-8859-1)

Versions of packages debarchiver depends on:
ii  adduser   3.67.2 Add and remove users and groups
ii  apt-utils 0.6.41 APT utility programs
ii  dpkg-dev  1.13.11package building tools for Debian
ii  opalmod   0.1.13 A set of Perl modules for various 

debarchiver recommends no packages.

- -- no debconf information

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDVRXjdg0kG0+YFBERAuvlAJ91BPsQBHFMmg9JZjmPfhARId/HiACfX3hU
geXDaDqX2BJc59Um8z0bGIQ=
=vKpr
-END PGP SIGNATURE-


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]