On Fri, 16 Apr 2010, Harald Braumann wrote:
> On Thu, Apr 15, 2010 at 05:03:44PM +0200, Raphael Hertzog wrote:
>
> > Even if it creates a checksum file, someone could always hand-edit the
> > package to add files not listed in the checksum files and we need to
> > decide whether that's something that needs to be catched and if yes by
> > whom and at what point.
>
> Do you mean a maintainer, who hand-edits a package after it was
> built, or do you mean an adversery who has evil intentions? If the
The latter.
> former, then this should just be forbidden. If the latter, than this
> can be solved by package signatures.
Which one? We are discussing something that is a signature of the (content
of the) package. And there's the signature on Release/Package which can
authenticate the .deb in its entirety.
I'm discussing the case where the signature of the "checksums" file is valid
but that checksums file does not list all the files present in
data.tar.gz or control.tar.gz.
Cheers,
--
Raphaël Hertzog
Like what I do? Sponsor me: http://ouaza.com/wp/2010/01/05/5-years-of-freexian/
My Debian goals: http://ouaza.com/wp/2010/01/09/debian-related-goals-for-2010/
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20100416060813.GA12604@rivendell">http://lists.debian.org/20100416060813.GA12604@rivendell
04-16-2010, 11:30 AM
Harald Braumann
Bug#540215: Introduce dh_checksums
On Fri, Apr 16, 2010 at 08:08:13AM +0200, Raphael Hertzog wrote:
> I'm discussing the case where the signature of the "checksums" file is valid
> but that checksums file does not list all the files present in
> data.tar.gz or control.tar.gz.
Require that checksums exist for all files and let dpkg check
that at installation time.
But yes, I second your proposal for a DEP, instead of discussing
details further in this thread, which has already become quite
chaotic.
harry
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20100416113022.GC25023@sbs288.lan">http://lists.debian.org/20100416113022.GC25023@sbs288.lan
04-16-2010, 11:30 AM
Harald Braumann
Bug#540215: Introduce dh_checksums
On Fri, Apr 16, 2010 at 08:08:13AM +0200, Raphael Hertzog wrote:
> I'm discussing the case where the signature of the "checksums" file is valid
> but that checksums file does not list all the files present in
> data.tar.gz or control.tar.gz.
Require that checksums exist for all files and let dpkg check
that at installation time.
But yes, I second your proposal for a DEP, instead of discussing
details further in this thread, which has already become quite
chaotic.
harry
--
To UNSUBSCRIBE, email to debian-dpkg-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20100416113022.GC25023@sbs288.lan">http://lists.debian.org/20100416113022.GC25023@sbs288.lan
04-16-2010, 03:04 PM
Goswin von Brederlow
Bug#540215: Introduce dh_checksums
Harald Braumann <harry@unheit.net> writes:
> On Thu, Apr 15, 2010 at 04:04:51PM +0200, Goswin von Brederlow wrote:
>
>> The checksum file could be attached as additional member in the
>> .deb. And a signature could be a signed file containing the checksum
>> size and name of all members of a .deb preceeding the signature. That
>> way the signature can verify the deb itself or individual members, like
>> the checksum file, in the .deb. Just a thought.
>
> I'm not sure, how you mean that exactly. But the signature must be
> over the checksum file, nothing more and nothing less. Otherwise
> you won't be able to verify the checksum file.
> Also I think it's really a very bad idea in general to mix multiple
> different things into one signature. The one thing is a signature over
> installed files (via the checksum file). The other is a signature over
> a package. The two are completely orthogonal and serve different
> purposes.
It would be a signature over members of the .deb file. The meaning of
each member doesn't matter.
> harry
MfG
Goswin
--
To UNSUBSCRIBE, email to debian-dpkg-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 87k4s7l9pj.fsf@frosties.localdomain">http://lists.debian.org/87k4s7l9pj.fsf@frosties.localdomain
04-16-2010, 03:04 PM
Goswin von Brederlow
Bug#540215: Introduce dh_checksums
Harald Braumann <harry@unheit.net> writes:
> On Thu, Apr 15, 2010 at 04:04:51PM +0200, Goswin von Brederlow wrote:
>
>> The checksum file could be attached as additional member in the
>> .deb. And a signature could be a signed file containing the checksum
>> size and name of all members of a .deb preceeding the signature. That
>> way the signature can verify the deb itself or individual members, like
>> the checksum file, in the .deb. Just a thought.
>
> I'm not sure, how you mean that exactly. But the signature must be
> over the checksum file, nothing more and nothing less. Otherwise
> you won't be able to verify the checksum file.
> Also I think it's really a very bad idea in general to mix multiple
> different things into one signature. The one thing is a signature over
> installed files (via the checksum file). The other is a signature over
> a package. The two are completely orthogonal and serve different
> purposes.
It would be a signature over members of the .deb file. The meaning of
each member doesn't matter.
> harry
MfG
Goswin
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 87k4s7l9pj.fsf@frosties.localdomain">http://lists.debian.org/87k4s7l9pj.fsf@frosties.localdomain
04-16-2010, 03:14 PM
Goswin von Brederlow
Bug#540215: Introduce dh_checksums
Raphael Hertzog <hertzog@debian.org> writes:
> On Fri, 16 Apr 2010, Harald Braumann wrote:
>> On Thu, Apr 15, 2010 at 05:03:44PM +0200, Raphael Hertzog wrote:
>>
>> > Even if it creates a checksum file, someone could always hand-edit the
>> > package to add files not listed in the checksum files and we need to
>> > decide whether that's something that needs to be catched and if yes by
>> > whom and at what point.
>>
>> Do you mean a maintainer, who hand-edits a package after it was
>> built, or do you mean an adversery who has evil intentions? If the
>
> The latter.
>
>> former, then this should just be forbidden. If the latter, than this
>> can be solved by package signatures.
>
> Which one? We are discussing something that is a signature of the (content
> of the) package. And there's the signature on Release/Package which can
> authenticate the .deb in its entirety.
>
> I'm discussing the case where the signature of the "checksums" file is valid
> but that checksums file does not list all the files present in
> data.tar.gz or control.tar.gz.
The checksum file can be altered prior to the signature being added. But
so can any other part of the .deb file. We have to assume that no
adversery with evil intentions has access to the .deb prior to it being
signed. So it comes down to the maintainer not screwing up the package
prior to uploading.
The DAK can verify the validity of the signature and the completness of
the checksum file during upload if that is considered neccessary. I do
not think every user should have to do so during install. But it could
be optional with default off.
> Cheers,
MfG
Goswin
--
To UNSUBSCRIBE, email to debian-dpkg-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 87fx2vl99k.fsf@frosties.localdomain">http://lists.debian.org/87fx2vl99k.fsf@frosties.localdomain
04-16-2010, 03:14 PM
Goswin von Brederlow
Bug#540215: Introduce dh_checksums
Raphael Hertzog <hertzog@debian.org> writes:
> On Fri, 16 Apr 2010, Harald Braumann wrote:
>> On Thu, Apr 15, 2010 at 05:03:44PM +0200, Raphael Hertzog wrote:
>>
>> > Even if it creates a checksum file, someone could always hand-edit the
>> > package to add files not listed in the checksum files and we need to
>> > decide whether that's something that needs to be catched and if yes by
>> > whom and at what point.
>>
>> Do you mean a maintainer, who hand-edits a package after it was
>> built, or do you mean an adversery who has evil intentions? If the
>
> The latter.
>
>> former, then this should just be forbidden. If the latter, than this
>> can be solved by package signatures.
>
> Which one? We are discussing something that is a signature of the (content
> of the) package. And there's the signature on Release/Package which can
> authenticate the .deb in its entirety.
>
> I'm discussing the case where the signature of the "checksums" file is valid
> but that checksums file does not list all the files present in
> data.tar.gz or control.tar.gz.
The checksum file can be altered prior to the signature being added. But
so can any other part of the .deb file. We have to assume that no
adversery with evil intentions has access to the .deb prior to it being
signed. So it comes down to the maintainer not screwing up the package
prior to uploading.
The DAK can verify the validity of the signature and the completness of
the checksum file during upload if that is considered neccessary. I do
not think every user should have to do so during install. But it could
be optional with default off.
> Cheers,
MfG
Goswin
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 87fx2vl99k.fsf@frosties.localdomain">http://lists.debian.org/87fx2vl99k.fsf@frosties.localdomain
Bug#540215: Introduce dh_checksums
