tags 492052 - patch
tags 492052 pending
thanks
Hi,
On Wed, 2008-07-23 at 16:33:39 +0200, Thijs Kinkhorst wrote:
> Package: dpkg
> Version: 1.14.20
> Severity: minor
> man 1 dpkg-deb mentions the following under "BUGS":
>
> | There is no authentication on .deb files; in fact, there isnt
> | even a straightforward checksum.
> I don't think that is a bug for the low level tool; this is handled just
> fine by the higher level tools like APT which include authentication and
> checksums. Maybe it stems from pre-APT times.
I think the comment is still valid, as once the .deb is outside a
repository then it cannot be authenticated anymore, the same applies to
the checksums if the packages does not include them when building, via
dh_md5sums for example.
For the former a solution is to merge something like dpkg-sig into dpkg
proper. For the latter, implement something along the lines of #155676,
but probably at build time instead.
> As this is not a bug (anymore) and it may suggest to the casual reader
> that there's some kind of trust problem, I think it should be removed.
> Patch that does this, is attached.
But, yes I agree the comment is still confusing, so I've added
something I hope improves it:
<
http://git.debian.org/?p=dpkg/dpkg.git;a=commit;h=8b2b9d9f>
regards,
guillem
--
To UNSUBSCRIBE, email to
debian-dpkg-bugs-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact
listmaster@...
