FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian Development

 
 
LinkBack Thread Tools
 
Old 04-16-2010, 06:08 AM
Raphael Hertzog
 
Default Bug#540215: Introduce dh_checksums

On Fri, 16 Apr 2010, Harald Braumann wrote:
> On Thu, Apr 15, 2010 at 05:03:44PM +0200, Raphael Hertzog wrote:
>
> > Even if it creates a checksum file, someone could always hand-edit the
> > package to add files not listed in the checksum files and we need to
> > decide whether that's something that needs to be catched and if yes by
> > whom and at what point.
>
> Do you mean a maintainer, who hand-edits a package after it was
> built, or do you mean an adversery who has evil intentions? If the

The latter.

> former, then this should just be forbidden. If the latter, than this
> can be solved by package signatures.

Which one? We are discussing something that is a signature of the (content
of the) package. And there's the signature on Release/Package which can
authenticate the .deb in its entirety.

I'm discussing the case where the signature of the "checksums" file is valid
but that checksums file does not list all the files present in
data.tar.gz or control.tar.gz.

Cheers,
--
RaphaŽl Hertzog

Like what I do? Sponsor me: http://ouaza.com/wp/2010/01/05/5-years-of-freexian/
My Debian goals: http://ouaza.com/wp/2010/01/09/debian-related-goals-for-2010/


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20100416060813.GA12604@rivendell">http://lists.debian.org/20100416060813.GA12604@rivendell
 
Old 04-16-2010, 11:30 AM
Harald Braumann
 
Default Bug#540215: Introduce dh_checksums

On Fri, Apr 16, 2010 at 08:08:13AM +0200, Raphael Hertzog wrote:
> I'm discussing the case where the signature of the "checksums" file is valid
> but that checksums file does not list all the files present in
> data.tar.gz or control.tar.gz.

Require that checksums exist for all files and let dpkg check
that at installation time.

But yes, I second your proposal for a DEP, instead of discussing
details further in this thread, which has already become quite
chaotic.

harry


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20100416113022.GC25023@sbs288.lan">http://lists.debian.org/20100416113022.GC25023@sbs288.lan
 
Old 04-16-2010, 11:30 AM
Harald Braumann
 
Default Bug#540215: Introduce dh_checksums

On Fri, Apr 16, 2010 at 08:08:13AM +0200, Raphael Hertzog wrote:
> I'm discussing the case where the signature of the "checksums" file is valid
> but that checksums file does not list all the files present in
> data.tar.gz or control.tar.gz.

Require that checksums exist for all files and let dpkg check
that at installation time.

But yes, I second your proposal for a DEP, instead of discussing
details further in this thread, which has already become quite
chaotic.

harry


--
To UNSUBSCRIBE, email to debian-dpkg-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20100416113022.GC25023@sbs288.lan">http://lists.debian.org/20100416113022.GC25023@sbs288.lan
 
Old 04-16-2010, 03:04 PM
Goswin von Brederlow
 
Default Bug#540215: Introduce dh_checksums

Harald Braumann <harry@unheit.net> writes:

> On Thu, Apr 15, 2010 at 04:04:51PM +0200, Goswin von Brederlow wrote:
>
>> The checksum file could be attached as additional member in the
>> .deb. And a signature could be a signed file containing the checksum
>> size and name of all members of a .deb preceeding the signature. That
>> way the signature can verify the deb itself or individual members, like
>> the checksum file, in the .deb. Just a thought.
>
> I'm not sure, how you mean that exactly. But the signature must be
> over the checksum file, nothing more and nothing less. Otherwise
> you won't be able to verify the checksum file.

A signature could look like this:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

90d462d27ac404ecabfc9ca7f306dec0b81d3576 3456 control.tar.gz
ed43cc24b4f5472d25fc9c82a67daed317c8d415 3573458 data.tar.gz
90d462d27ac404ecab247a82a67daed317c8d415 971 checksum_control
ed43cc24b4f5472d25fc9ca7f306dec0b81d3576 1234 checksum_data
9528348234958345473658358238452836482685 3536 signature_01

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iD8DBQFLyHvbH8SBz+0NfPoRAofQAJoDlO38O3UqfcSyN6xj92 s/LQlAzwCgweC2
BiK6lI0aABtTwvXVIEiqXNg=
=cOUY
-----END PGP SIGNATURE-----

> Also I think it's really a very bad idea in general to mix multiple
> different things into one signature. The one thing is a signature over
> installed files (via the checksum file). The other is a signature over
> a package. The two are completely orthogonal and serve different
> purposes.

It would be a signature over members of the .deb file. The meaning of
each member doesn't matter.

> harry

MfG
Goswin


--
To UNSUBSCRIBE, email to debian-dpkg-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 87k4s7l9pj.fsf@frosties.localdomain">http://lists.debian.org/87k4s7l9pj.fsf@frosties.localdomain
 
Old 04-16-2010, 03:04 PM
Goswin von Brederlow
 
Default Bug#540215: Introduce dh_checksums

Harald Braumann <harry@unheit.net> writes:

> On Thu, Apr 15, 2010 at 04:04:51PM +0200, Goswin von Brederlow wrote:
>
>> The checksum file could be attached as additional member in the
>> .deb. And a signature could be a signed file containing the checksum
>> size and name of all members of a .deb preceeding the signature. That
>> way the signature can verify the deb itself or individual members, like
>> the checksum file, in the .deb. Just a thought.
>
> I'm not sure, how you mean that exactly. But the signature must be
> over the checksum file, nothing more and nothing less. Otherwise
> you won't be able to verify the checksum file.

A signature could look like this:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

90d462d27ac404ecabfc9ca7f306dec0b81d3576 3456 control.tar.gz
ed43cc24b4f5472d25fc9c82a67daed317c8d415 3573458 data.tar.gz
90d462d27ac404ecab247a82a67daed317c8d415 971 checksum_control
ed43cc24b4f5472d25fc9ca7f306dec0b81d3576 1234 checksum_data
9528348234958345473658358238452836482685 3536 signature_01

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iD8DBQFLyHvbH8SBz+0NfPoRAofQAJoDlO38O3UqfcSyN6xj92 s/LQlAzwCgweC2
BiK6lI0aABtTwvXVIEiqXNg=
=cOUY
-----END PGP SIGNATURE-----

> Also I think it's really a very bad idea in general to mix multiple
> different things into one signature. The one thing is a signature over
> installed files (via the checksum file). The other is a signature over
> a package. The two are completely orthogonal and serve different
> purposes.

It would be a signature over members of the .deb file. The meaning of
each member doesn't matter.

> harry

MfG
Goswin


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 87k4s7l9pj.fsf@frosties.localdomain">http://lists.debian.org/87k4s7l9pj.fsf@frosties.localdomain
 
Old 04-16-2010, 03:14 PM
Goswin von Brederlow
 
Default Bug#540215: Introduce dh_checksums

Raphael Hertzog <hertzog@debian.org> writes:

> On Fri, 16 Apr 2010, Harald Braumann wrote:
>> On Thu, Apr 15, 2010 at 05:03:44PM +0200, Raphael Hertzog wrote:
>>
>> > Even if it creates a checksum file, someone could always hand-edit the
>> > package to add files not listed in the checksum files and we need to
>> > decide whether that's something that needs to be catched and if yes by
>> > whom and at what point.
>>
>> Do you mean a maintainer, who hand-edits a package after it was
>> built, or do you mean an adversery who has evil intentions? If the
>
> The latter.
>
>> former, then this should just be forbidden. If the latter, than this
>> can be solved by package signatures.
>
> Which one? We are discussing something that is a signature of the (content
> of the) package. And there's the signature on Release/Package which can
> authenticate the .deb in its entirety.
>
> I'm discussing the case where the signature of the "checksums" file is valid
> but that checksums file does not list all the files present in
> data.tar.gz or control.tar.gz.

The checksum file can be altered prior to the signature being added. But
so can any other part of the .deb file. We have to assume that no
adversery with evil intentions has access to the .deb prior to it being
signed. So it comes down to the maintainer not screwing up the package
prior to uploading.

The DAK can verify the validity of the signature and the completness of
the checksum file during upload if that is considered neccessary. I do
not think every user should have to do so during install. But it could
be optional with default off.

> Cheers,

MfG
Goswin


--
To UNSUBSCRIBE, email to debian-dpkg-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 87fx2vl99k.fsf@frosties.localdomain">http://lists.debian.org/87fx2vl99k.fsf@frosties.localdomain
 
Old 04-16-2010, 03:14 PM
Goswin von Brederlow
 
Default Bug#540215: Introduce dh_checksums

Raphael Hertzog <hertzog@debian.org> writes:

> On Fri, 16 Apr 2010, Harald Braumann wrote:
>> On Thu, Apr 15, 2010 at 05:03:44PM +0200, Raphael Hertzog wrote:
>>
>> > Even if it creates a checksum file, someone could always hand-edit the
>> > package to add files not listed in the checksum files and we need to
>> > decide whether that's something that needs to be catched and if yes by
>> > whom and at what point.
>>
>> Do you mean a maintainer, who hand-edits a package after it was
>> built, or do you mean an adversery who has evil intentions? If the
>
> The latter.
>
>> former, then this should just be forbidden. If the latter, than this
>> can be solved by package signatures.
>
> Which one? We are discussing something that is a signature of the (content
> of the) package. And there's the signature on Release/Package which can
> authenticate the .deb in its entirety.
>
> I'm discussing the case where the signature of the "checksums" file is valid
> but that checksums file does not list all the files present in
> data.tar.gz or control.tar.gz.

The checksum file can be altered prior to the signature being added. But
so can any other part of the .deb file. We have to assume that no
adversery with evil intentions has access to the .deb prior to it being
signed. So it comes down to the maintainer not screwing up the package
prior to uploading.

The DAK can verify the validity of the signature and the completness of
the checksum file during upload if that is considered neccessary. I do
not think every user should have to do so during install. But it could
be optional with default off.

> Cheers,

MfG
Goswin


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 87fx2vl99k.fsf@frosties.localdomain">http://lists.debian.org/87fx2vl99k.fsf@frosties.localdomain
 

Thread Tools




All times are GMT. The time now is 02:41 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org