Bug#492052: dpkg-deb man page: packages not authenticated

Package: dpkg
Version: 1.14.20
Severity: minor

Hi,

man 1 dpkg-deb mentions the following under "BUGS":

| There is no authentication on .deb files; in fact, there isn’t
| even a straightforward checksum.

I don't think that is a bug for the low level tool; this is handled just
fine by the higher level tools like APT which include authentication and
checksums. Maybe it stems from pre-APT times.

As this is not a bug (anymore) and it may suggest to the casual reader
that there's some kind of trust problem, I think it should be removed.
Patch that does this, is attached.


cheers,
Thijs

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: powerpc (ppc)

Kernel: Linux 2.6.25-2-powerpc
Locale: LANG=nl_NL.UTF-8, LC_CTYPE=nl_NL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages dpkg depends on:
ii  coreutils                     6.10-6     The GNU core utilities
ii  libc6                         2.7-12     GNU C Library: Shared libraries

dpkg recommends no packages.

Versions of packages dpkg suggests:
ii  apt                           0.7.14     Advanced front-end for dpkg
ii  lzma                          4.43-14    Compression method of 7z
format in

-- no debconf information

[dpkgdeb_nonbug.patch]

---

diff -ur dpkg-1.14.20.orig/man/de/dpkg-deb.1 dpkg-1.14.20/man/de/dpkg-deb.1
--- dpkg-1.14.20.orig/man/de/dpkg-deb.1 2008-06-18 09:41:19.000000000 +0200
+++ dpkg-1.14.20/man/de/dpkg-deb.1 2008-07-23 16:27:16.000000000 +0200
@@ -172,9 +172,6 @@
 .SH FEHLER
 \fBdpkg\-deb \-I\fP \fIpaket1\fP\fB.deb\fP \fIpaket2\fP\fB.deb\fP macht das Falsche.
 
-Es gibt keine Authentifizierung von \fB.deb\fP\-Dateien; in der Tat gibt es
-sogar noch nicht mal eine direkte Prüfsumme.
-
 Versuchen Sie nicht, nur mit \fBdpkg\-deb\fP Software zu installieren! Sie
 müssen \fBdpkg\fP selber verwenden, um sicherzustellen, dass alle Dateien an
 den richtigen Ort platziert werden, die Paketskripte ausgeführt werden und
diff -ur dpkg-1.14.20.orig/man/dpkg-deb.1 dpkg-1.14.20/man/dpkg-deb.1
--- dpkg-1.14.20.orig/man/dpkg-deb.1 2008-01-08 18:49:54.000000000 +0100
+++ dpkg-1.14.20/man/dpkg-deb.1 2008-07-23 16:24:26.000000000 +0200
@@ -224,10 +224,6 @@
 .IB package2 .deb
 does the wrong thing.
 
-There is no authentication on
-.B .deb
-files; in fact, there isn't even a straightforward checksum.
-
 Do not attempt to use just
 .B dpkg\-deb
 to install software! You must use
diff -ur dpkg-1.14.20.orig/man/fr/dpkg-deb.1 dpkg-1.14.20/man/fr/dpkg-deb.1
--- dpkg-1.14.20.orig/man/fr/dpkg-deb.1 2008-06-18 09:41:19.000000000 +0200
+++ dpkg-1.14.20/man/fr/dpkg-deb.1 2008-07-23 16:27:28.000000000 +0200
@@ -167,9 +167,6 @@
 .SH BOGUES
 \fBdpkg\-deb \-I\fP \fIpaquet1\fP\fB.deb\fP \fIpaquet2\fP\fB.deb\fP se trompe.
 
-Il n'y a pas de validation des fichiers \fB.deb ;\fP en fait, il n'y a même pas
-de simple somme de contrôle.
-
 N'essayez pas d'installer un logiciel avec \fBdpkg\-deb !\fP Vous devez utiliser
 \fBdpkg\fP pour être sûr que tous ses fichiers sont correctement mis en place,
 que les scripts du paquet sont exécutés et que son contenu et son état sont
diff -ur dpkg-1.14.20.orig/man/pl/dpkg-deb.1 dpkg-1.14.20/man/pl/dpkg-deb.1
--- dpkg-1.14.20.orig/man/pl/dpkg-deb.1 2008-06-18 09:41:20.000000000 +0200
+++ dpkg-1.14.20/man/pl/dpkg-deb.1 2008-07-23 16:27:39.000000000 +0200
@@ -161,9 +161,6 @@
 .SH B£ÊDY
 \fBdpkg\-deb \-I\fP \fIpakiet1\fP\fB.deb\fP \fIpakiet2\fP\fB.deb\fP dzia³a niepoprawnie.
 
-Brak sprawdzania autentyczno¶ci plików \fB.deb\fP. Tak naprawdê, to nawet nie
-jest sprawdzana suma kontrolna archiwum.
-
 Nie nale¿y u¿ywaæ \fBdpkg\-deb\fP do instalowania oprogramowania! Do tego celu
 nale¿y korzystaæ z \fBdpkg\fP, który zainstaluje poprawnie pliki i uruchomi
 potrzebne skrypty instalacyjne.
diff -ur dpkg-1.14.20.orig/man/sv/dpkg-deb.1 dpkg-1.14.20/man/sv/dpkg-deb.1
--- dpkg-1.14.20.orig/man/sv/dpkg-deb.1 2008-06-18 09:41:20.000000000 +0200
+++ dpkg-1.14.20/man/sv/dpkg-deb.1 2008-07-23 16:27:49.000000000 +0200
@@ -161,9 +161,6 @@
 .SH PROGRAMFEL
 \fBdpkg\-deb \-I\fP \fIpaket1\fP\fB.deb\fP \fIpaket2\fP\fB.deb\fP gör fel.
 
-Det finns ingen autentisering i \fB.deb\fP\-filer; det finns faktiskt inte ens
-en vanlig kontrollsumma.
-
 Försök inte använda bara \fBdpkg\-deb\fP för att installera programvara! Du
 måste använda normala \fBdpkg\fP för att se till att alla filer läggs på
 korrekt plats och att paketets skript körs och dess status och innehåll

---

tags 492052 - patch
tags 492052 pending
thanks

Hi,

On Wed, 2008-07-23 at 16:33:39 +0200, Thijs Kinkhorst wrote:
> Package: dpkg
> Version: 1.14.20
> Severity: minor

> man 1 dpkg-deb mentions the following under "BUGS":
>
> | There is no authentication on .deb files; in fact, there isn’t
> | even a straightforward checksum.

> I don't think that is a bug for the low level tool; this is handled just
> fine by the higher level tools like APT which include authentication and
> checksums. Maybe it stems from pre-APT times.

I think the comment is still valid, as once the .deb is outside a
repository then it cannot be authenticated anymore, the same applies to
the checksums if the packages does not include them when building, via
dh_md5sums for example.

For the former a solution is to merge something like dpkg-sig into dpkg
proper. For the latter, implement something along the lines of #155676,
but probably at build time instead.

> As this is not a bug (anymore) and it may suggest to the casual reader
> that there's some kind of trust problem, I think it should be removed.
> Patch that does this, is attached.

But, yes I agree the comment is still confusing, so I've added
something I hope improves it:

  <http://git.debian.org/?p=dpkg/dpkg.git;a=commit;h=8b2b9d9f>

regards,
guillem




--
To UNSUBSCRIBE, email to debian-dpkg-bugs-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

Processing commands for control@...:

> tags 492052 - patch
Bug#492052: dpkg-deb man page: packages not authenticated
Tags were: patch
Tags removed: patch

> tags 492052 pending
Bug#492052: dpkg-deb man page: packages not authenticated
There were no tags set.
Tags added: pending

> thanks
Stopping processing here.

Please contact me if you need assistance.

Debian bug tracking system administrator
(administrator, Debian Bugs database)


--
To UNSUBSCRIBE, email to debian-dpkg-bugs-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...