On Fri, 16 Apr 2010, Harald Braumann wrote: > On Thu, Apr 15, 2010 at 05:03:44PM +0200, Raphael Hertzog wrote: > > > Even if it creates a checksum file, someone could always hand-edit the > > package to add files not listed in the checksum files and we need to > > decide whether that's something that needs to be catched and if yes by > > whom and at what point. > > Do you mean a maintainer, who hand-edits a package after it was > built, or do you mean an adversery who has evil intentions? If the
The latter. > former, then this should just be forbidden. If the latter, than this > can be solved by package signatures. Which one? We are discussing something that is a signature of the (content of the) package. And there's the signature on Release/Package which can authenticate the .deb in its entirety. I'm discussing the case where the signature of the "checksums" file is valid but that checksums file does not list all the files present in data.tar.gz or control.tar.gz. Cheers, -- Raphaƫl Hertzog Like what I do? Sponsor me: http://ouaza.com/wp/2010/01/05/5-years-of-freexian/ My Debian goals: http://ouaza.com/wp/2010/01/09/debian-related-goals-for-2010/ -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100416060813.ga12...@rivendell
