Hello, Maybe some of you already noticed it: Seems, some of the squirrelmail archives have been manipulated [1]. I've downloaded the package source and compared the md5sum of the .tar.gz to the ones provided by the squirrelmail developers and it seems, we have one of the original tarballs.
Now I know, some upstream authors automatically provide (signed) MD5 sums together with their packages (I do for example). Is there anything in the Debian packaging architecture to automatically get and compare the MD5 hash of the downloaded tarball to the (signed) MD5 hash provided by the author (besides the fact, that this should be done by the package maintainer manually)? Would it make sense to add something to the packaging infrastructure or (maybe) to ftp.debian.org as part of the incoming process? I could imagine to extend debian/watch to contain a search pattern for MD5 hash files and their signature files to download them too and extend the dpkg utilities to compare the hash in the .dsc to an existing .md5 (and verify the this files with the signature in e.g. .md5.asc if possible). This would mean, that these files could be only available on the maintainers computer or upload these files along with the .dsc, ... too. It would probably need a new keyring with the keys of upstream projects. Or is there already something similar I just don't know? I first would like to hear some opinions, before I write some wishlist report. [1] http://www.squirrelmail.org -> "SECURITY: 1.4.12 Package Compromise" Regards, Daniel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
