Manipulated squirrelmail download archives - how to detect such cases automatically in the Debian packaging process?

Hello,

Maybe some of you already noticed it: Seems, some of the squirrelmail archives have been manipulated [1]. I've downloaded the package source and compared the md5sum of the .tar.gz to the ones provided by the squirrelmail developers and it seems, we have one of the original tarballs.

Now I know, some upstream authors automatically provide (signed) MD5 sums together with their packages (I do for example). Is there anything in the Debian packaging architecture to automatically get and compare the MD5 hash of the downloaded tarball to the (signed) MD5 hash provided by the author (besides the fact, that this should be done by the package maintainer manually)?

Would it make sense to add something to the packaging infrastructure or
(maybe) to ftp.debian.org as part of the incoming process?

I could imagine to extend debian/watch to contain a search pattern for MD5 hash files and their signature files to download them too and extend the dpkg utilities to compare the hash in the .dsc to an existing .md5
(and verify the this files with the signature in e.g. .md5.asc if
possible). This would mean, that these files could be only available on the maintainers computer or upload these files along with the .dsc, ... too. It would probably need a new keyring with the keys of upstream projects.

Or is there already something similar I just don't know?

I first would like to hear some opinions, before I write some wishlist report.

[1] http://www.squirrelmail.org -> "SECURITY: 1.4.12 Package Compromise"

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.debian.org Links debian-announce debian-apache debian-arm-changes debian-beowulf debian-boot debian-cd debian-cd-vendors debian-changes debian-changes-digest debian-isp debian-kde debian-laptop debian-mirrors-announce debian-news debian-security debian-security-announce debian-testing debian-user debian-user-digest Request more information about Pantek

Regards, Daniel

-- 
To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org