Package: dpkg
Version: 1.4.0.34
Severity: Important
(Important as it is a security issue that has been brought up recently
in several contexts, and we know that mirrors can be compromised.)
.debs should have an extra component in the ar archive which are
PGP-signed MD5 sums (or equivalent) of the other two sections of the
.deb archive (control and data). Dpkg (or dpkg-deb?) should create
this part when asked to, in a way to be decided, and should be able to
check it if asked to.
Less urgent is a way of enabling users to confirm these PGP signatures
before installing the packages.
There is the obvious DFSG problem of making dpkg depend on PGP -- this
may actually be a very good opportunity to begin working towards GnuPG
by having the signatures be GnuPG ones.
Julian
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Julian Gilbey, Dept of Maths, QMW, Univ. of London. [EMAIL PROTECTED]
Debian GNU/Linux Developer. [EMAIL PROTECTED]
-*- Finger [EMAIL PROTECTED] for my PGP public key. -*-
