Harald Braumann <ha...@unheit.net> writes: > On Sat, Mar 20, 2010 at 06:13:14AM -0700, Russ Allbery wrote:
>> Yeah, that would be one such convention. I don't know if that's better >> or if adding a prefix of data: and control: to the path names would be >> better. My guess is that the latter may be a bit more flexible for >> possible long-term changes, like adding other deb members later for >> some reason that we want to sign. > But aren't we talking about checksums of installed files here? So after > package installation I'd like to have the file as > /var/lib/dpkg/info/<packag>.checksums, just like the md5sums now, only > that it's signed (preferably with a detached signature). This file has > to be included verbatim in the package. You can't strip the > data:/control: prefix on installation, as this would invalidate the > signature. And it shouldn't be installed containing these prefixes, > because then you can't use standard-tools to verify the checksums. I agree with all of that; I'm just not sure the last bit actually matters. It's trivial to write a tiny tool that would verify the checksums using other tools. But I can see the appeal, and I wouldn't argue against using the installed path either. Note, though, that if only installed files can be listed in the signature, the signature doesn't cover DEBIAN/control file, which seems like a bad idea. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87k4t6bz3q....@windlord.stanford.edu
