Dear Jakub, Ian, and everybody, would the following patch address your questions ?
--- vnd.debian.package.bak20140202 2014-02-02 22:07:56.175007336 +0900 +++ vnd.debian.package 2014-02-02 22:17:59.342650431 +0900 @@ -18,24 +18,26 @@ Debian binary packages can contain scripts executing arbitrary commands during installation, which is done with administrator privileges. It is therefore essential to trust the origin of the package. The recommended way is to -download packages from APT (Advanced Packaging Tool) archives that are +download packages from Debian format archives that are authenticated with a trusted cryptographic key (see the manual page of apt-secure for details). As a lesser alternative for cases where APT tools are not available, the package should be downloaded with secured protocols such as HTTPS. There also exists a mechanism for signing packages directly (called ‘debsigs’), but it is not deployed. -The contents of the Debian binary packages are placed inside tar archives -(possibly compressed) wrapped in an ar archive (see the ‘deb’ manual page for +The Debian binary package consists of an ‘ar‘ archive (in old common format) +containing, amongst other things, compressed tar archives for the primary +package contents such as the files to be installed (see the ‘deb’ manual page for details on the format); it is therefore possible to inspect them with standard UNIX tools (although the recommended way is through the command ‘dpkg-deb’) without actually installing the package and therefore without executing the -package's scripts. An estimate of the uncompressed size of the package may be +package's scripts. However, creating a Debian binary package requires the +Debian tools. An estimate of the uncompressed size of the package may be available in its ‘control’ file, but it can only be trusted if the package itself is trusted (a malicious person can design a package containing small compressed files that become extremely large after decompression). -Since the Debian packages vehiculate programs to be installed on a computer, +Since the Debian packages conveys programs to be installed on a computer, the monitoring of a user's downloads over non-secured transport protocols such as HTTP or FTP may reveal information pertaining to the user's privacy, or suggest information related to the system's security such as the precise For Ian's last question: > > Magic number(s): > > Version 2.0 files start with the following string: > > !<arch>\ndebian-binary > > Is it necessary to say that there "\n" represents an ASCII linefeed > character ? Looking at other records, I do not think it is necessary. I attached again a plain version of the media type declaration. To everybody: please not that the debian-policy mailing list is indicated as a contact point; please let me know if you think it is a bad idea. Have a nice Sunday, -- Charles Plessy Tsurumi, Kanagawa, Japan
Type name: application Subtype name: vnd.debian.binary-package Required parameters: None. Optional parameters: None. Encoding considerations: binary Security considerations: Debian binary packages can contain scripts executing arbitrary commands during installation, which is done with administrator privileges. It is therefore essential to trust the origin of the package. The recommended way is to download packages from Debian format archives that are authenticated with a trusted cryptographic key (see the manual page of apt-secure for details). As a lesser alternative for cases where APT tools are not available, the package should be downloaded with secured protocols such as HTTPS. There also exists a mechanism for signing packages directly (called ‘debsigs’), but it is not deployed. The Debian binary package consists of an ‘ar‘ archive (in old common format) containing, amongst other things, compressed tar archives for the primary package contents such as the files to be installed (see the ‘deb’ manual page for details on the format); it is therefore possible to inspect them with standard UNIX tools (although the recommended way is through the command ‘dpkg-deb’) without actually installing the package and therefore without executing the package's scripts. However, creating a Debian binary package requires the Debian tools. An estimate of the uncompressed size of the package may be available in its ‘control’ file, but it can only be trusted if the package itself is trusted (a malicious person can design a package containing small compressed files that become extremely large after decompression). Since the Debian packages conveys programs to be installed on a computer, the monitoring of a user's downloads over non-secured transport protocols such as HTTP or FTP may reveal information pertaining to the user's privacy, or suggest information related to the system's security such as the precise version numbers of programs in use. Interoperability considerations: Arbitrary Debian binary packages can be installed on any system where the ‘dpkg’ package manager is used, but it is recommended to only install packages that have been built for a release matching the distribution installed on the system. Published specification: http://manpages.debian.org/cgi-bin/man.cgi?query=deb&manpath=Debian+unstable+sid http://manpages.debian.org/deb Applications that use this media type: The Debian binary packages are manipulated by system programs such as ‘dpkg’, ‘apt-get’, graphical front-ends such as ’Synaptic’ but also generic archive decompressors such as ‘File Roller’. After downloading a package with a web browser or after clicking on its icon, front-ends or decompressors are usually started. Fragment identifier: None. Restrictions on usage: None. Additional information: Deprecated alias names for this type: application/x-debian-package application/x-deb Magic number(s): Version 2.0 files start with the following string: !<arch>\ndebian-binary File extension(s): deb Macintosh file type code(s): None. Object Identifier(s) or OID(s): None. Person & email address to contact for further information: The Debian Policy mailing list <debian-policy&lists.debian.org> Intended usage: Common Author: Charles Plessy <plessy&debian.org> Change controller: The Debian Project <http://www.debian.org>
