Harald Braumann <ha...@unheit.net> writes: > On Fri, Mar 19, 2010 at 05:56:40PM -0700, Russ Allbery wrote:
>> I think it would replace dh_*sums during package build time and make >> obsolete including md5sums in the control.tar.gz. You don't really >> want the signature and checksums to be inside one of the other data >> members since that breaks, as Wouter points out, the ability to remove >> the signature and checksums and verify against the original *.changes >> file. And there's no need to include two copies of the checksums. > There would only be one additional file, containing a detached > signature for the checksum file. No duplication of checksums and it > can easily be removed from the ar. But doing everything in one step, > like you proposed, is better anyway. Oh, I see what you're saying. Yeah, that could work too. > To include checksums for control.tar.gz, just add them to the same > checksum file, but with the paths, the files will have after package > installation (/var/lib/dpkg/...). Yeah, that would be one such convention. I don't know if that's better or if adding a prefix of data: and control: to the path names would be better. My guess is that the latter may be a bit more flexible for possible long-term changes, like adding other deb members later for some reason that we want to sign. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/878w9ncf11....@windlord.stanford.edu
