> debian-binary > control.tar.gz > data.tar.gz > filelist.gz > detatched-sig-of-filelist.gz > detatched-sig-of-the-whole-deb
This is what I was thinking as well. The current dpkg-deb is sub-optimal, however, for making this md5sum list. It uses external tar to make data.tar.gz, which means each file would need to be read twice. I have code implemented in another language that reads tar natively, and am planning to use this knowledge when I rewrite dpkg-deb. At that point, I'll have dpkg-deb calculate the md5sums while adding files to the tar. However, this may or may not happen for dpkg 1.10. Depending on release schedules, dpkg 1.10 will be in woody+1, and maybe dpkg 1.11. Wichert and I have discusssed enough ideas to keep us both busy for at least that long.
