On Sat, Mar 20, 2010 at 06:13:14AM -0700, Russ Allbery wrote: > Yeah, that would be one such convention. I don't know if that's better or > if adding a prefix of data: and control: to the path names would be > better. My guess is that the latter may be a bit more flexible for > possible long-term changes, like adding other deb members later for some > reason that we want to sign.
But aren't we talking about checksums of installed files here? So after package installation I'd like to have the file as /var/lib/dpkg/info/<packag>.checksums, just like the md5sums now, only that it's signed (preferably with a detached signature). This file has to be included verbatim in the package. You can't strip the data:/control: prefix on installation, as this would invalidate the signature. And it shouldn't be installed containing these prefixes, because then you can't use standard-tools to verify the checksums. If other stuff should be added later, for instance debsigs like signatures, then additional files can be added to the deb. I don't think it's wise trying to define a catch-all format now and I don't see why arbitray additional files for further extensions couldn't be added to the deb later. All these files could be packed together in, say, security.tar.gz, so you can always remove this single member from the ar to get the classic deb. harry -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100320154020.ge1...@nn.nn
