-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Javier Fernández-Sanguino Peña ha scritto:
> On Mon, Aug 27, 2007 at 12:04:51PM +0200, A Mennucc wrote:
> I think I already pointed people interested in this to #268658.
> If ftpmasters where given the tools to implement this seamlessly then you
> could have aside tools that downloaded that file from the FTP site, and
> locally checked the md5sums.
>
AFAICS in bug 268658 you propose to ship a signed 'Checksums-${ARCH}.gz'
with releases.
What I had in mind was slightly broader, though.
What I have in mind is a database containing all checksums of all binary
packages passing trough unstable, with records such as
package / arch / version / file / permissions / md5 / sha1 ....
The 'Checksums-${ARCH}.gz' that you mention in 268658 may be generated
from this database at release time; but also the database would be
useful for people using tracking testing and unstable. The database may
have web interface, and/or a LDAP interface (with cryptographic
protection), so it may be searched. When doing forensic, it would be
useful to search it using the hash as a key.
Again, following your reasoning in 268658, I would then add a link to
the web interface in packages pages such as
http://packages.debian.org/testing/base/procps
But you are definitely right on one point: records should be added by a
script inside the incoming queue.
a.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFG1I0R9B/tjjP8QKQRAr2BAJ4/dRWnUX8W6SRF+Uy9QqTd127uQACePtGH
1gprvSqm26Z7t5zepFpEkYI=
=1IVv
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
