Bug#268658: marked as done (packages.debian.org: Provide cheksums of package contents)
Your message dated Sun, 22 Oct 2023 04:09:30 +0200
with message-id <25908.33882.205193.353080@cs.uni-koeln.de>
and subject line closing
has caused the Debian Bug report #268658,
regarding packages.debian.org: Provide cheksums of package contents
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
268658: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=268658
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: www.debian.org
On the individual package pages (for example
<http://packages.debian.org/testing/base/procps>) there are links to
show the list of files of this package for every architecture (under
the download buttons).
This list is rather useless - it only shows the file name and the
package name for every file contained in the package. It should also
provide the MD5 hash of every file. This would help for quick manual
checks whether an installed binary was compromised: Boot from a CDROM-
based distribution (e.g. Knoppix), run md5sum on the suspect file and
compare it to the listing on the package page. For now I have to
download the whole package and extract the control information to get
a MD5 string that can be trusted (since /var/lib/dpkg/info/ on that
machine might be manipulated too).
Regards,
Ingo
--- End Message ---
--- Begin Message ---
I don't think that the list is useless and there's no need to provide
the MD5 hash of every file.
--
Thomas
--- End Message ---
Reply to: