tags 492052 - patch tags 492052 pending thanks Hi,
On Wed, 2008-07-23 at 16:33:39 +0200, Thijs Kinkhorst wrote: > Package: dpkg > Version: 1.14.20 > Severity: minor > man 1 dpkg-deb mentions the following under "BUGS": > > | There is no authentication on .deb files; in fact, there isnt > | even a straightforward checksum. > I don't think that is a bug for the low level tool; this is handled just > fine by the higher level tools like APT which include authentication and > checksums. Maybe it stems from pre-APT times. I think the comment is still valid, as once the .deb is outside a repository then it cannot be authenticated anymore, the same applies to the checksums if the packages does not include them when building, via dh_md5sums for example. For the former a solution is to merge something like dpkg-sig into dpkg proper. For the latter, implement something along the lines of #155676, but probably at build time instead. > As this is not a bug (anymore) and it may suggest to the casual reader > that there's some kind of trust problem, I think it should be removed. > Patch that does this, is attached. But, yes I agree the comment is still confusing, so I've added something I hope improves it: <http://git.debian.org/?p=dpkg/dpkg.git;a=commit;h=8b2b9d9f> regards, guillem -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]