Re: Feature request for GnuPG crypted Debian packages
Scribit Michelle Konzack dies 25/04/2007 hora 20:44: I think you're targetting the wrong layer of the system. If many packages contain so much sensitive data, it would be easier to encrypt a tarball or part of a FS where packages are read. The packages are in general on the Server! Could you be more precise? First ISTR you talked about a CD with sensitive data. Now there's a package server. The two scenario are completely different, and call for completely different protection schemes, I'd say. As far as D-I is concerned, you could probably easily add a udeb to deal with decrypting and unpacking of that senstive part, and leave apt and dpkg untouched. You mean, put the crypred tarball into the DEB? No. I mean you could have an encrypted tarball on the debian installer CD, and that tarball could be unpacked by a compononent of the installer. The debian packages in the tarball would then be reachable by apt and dpkg in a totally normal way (you could either add another source or use some union FS). On the other hand, if not all the Debian package is sensitive, you better be encrypting data inside it, and have the application or an helper decrypt it when needed, maybe in maintainer scripts. I was trying this too, but Sometimes I get conflicts with Packages containing the same files. Then your files are probably at the wrong place, and the packages probably aren't FHS compliant. Correct them before enhancing dpkg to work around the issue. Quickly, Pierre -- [EMAIL PROTECTED] OpenPGP 0xD9D50D8A signature.asc Description: Digital signature
Feature request for GnuPG crypted Debian packages
Package: dpkg Version: 1.10.28 Severity: wishlist = I am CC'ing this message to debian-devel for discusion. = Dear dpkg Developers and Maintainers, I am Debian GNU/Linux Consultant in Strasbourg/France and building my own Debian-CD's for installation at my customers. Those CD's contain beside the standard D-I per customer config packages. The problem is that such Packages can contain sensible data of customers so my idea is, to add GnuPG cryption support for the Debian packages. I would suggest to add a new header like Crypted: gpg_key and then crypt the data.tar.gz (in the Debian package). dpkg (also apt-get, aptitude and synaptic) should detect the additional header and act as required. Since the CRYPT option is only an extension, it will not affect ANY existing Debian packages. Also should dpkg-buildpackage support the new extension to crypt the data part. Additional note: The CRYPT extension should only affect Binary-Packages and not sources. Thanks, Greetings and nice Day Michelle Konzack Systemadministrator Tamay Dogan Network Debian GNU/Linux Consultant -- System Information: Debian Release: 3.1 Architecture: i386 (i686) Kernel: Linux 2.4.27-2-386 Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Versions of packages dpkg depends on: ii dselect 1.10.28a user tool to manage Debian packa ii libc6 2.3.2.ds1-22sarge5 GNU C Library: Shared libraries an -- no debconf information -- Linux-User #280138 with the Linux Counter, http://counter.li.org/ # Debian GNU/Linux Consultant # Michelle Konzack Apt. 917 ICQ #328449886 50, rue de Soultz MSN LinuxMichi 0033/6/6192519367100 Strasbourg/France IRC #Debian (irc.icq.com) signature.pgp Description: Digital signature
Re: Feature request for GnuPG crypted Debian packages
Scribit Michelle Konzack dies 24/04/2007 hora 16:40: I would suggest to add a new header like Crypted: gpg_key and then crypt the data.tar.gz (in the Debian package). I think you're targetting the wrong layer of the system. If many packages contain so much sensitive data, it would be easier to encrypt a tarball or part of a FS where packages are read. As far as D-I is concerned, you could probably easily add a udeb to deal with decrypting and unpacking of that senstive part, and leave apt and dpkg untouched. On the other hand, if not all the Debian package is sensitive, you better be encrypting data inside it, and have the application or an helper decrypt it when needed, maybe in maintainer scripts. Alternatively, Pierre -- [EMAIL PROTECTED] OpenPGP 0xD9D50D8A signature.asc Description: Digital signature