|
|
Subscribe / Log in / New account

Improving .deb

Improving .deb

Posted May 29, 2019 18:42 UTC (Wed) by wahern (subscriber, #37304)
Parent article: Improving .deb

A big problem with Zip, IMO, is that the metadata for archived files is stored twice--in an index and as a header to each file. Which one do you use and trust? This creates a dilemma for metadata parsers and especially security scanners.

If you don't mind the uncleanliness and potential security issues of such redundant metadata, one can create an index for tar files, including compressed tar files. I've experimented with this (for both tar and tar+gzip), though nothing releasable. The upside is that adding an index could be done in a backward compatible manner--just another object in the outer archive that could be ignored.

to post comments

Improving .deb

Posted Jun 6, 2019 21:36 UTC (Thu) by dfsmith (guest, #20302) [Link]

Wouldn't you trust both or neither? If they match, yay! If not, the zip is corrupted (and shouldn't have passed the signature check).


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds