Re: Bug#540215: Introduce dh_checksums
On Thu, 15 Apr 2010, Stefano Zacchiroli wrote:
> On Thu, Apr 15, 2010 at 05:14:39PM +0200, Raphael Hertzog wrote:
> > > > On Tue, 23 Mar 2010, Wouter Verhelst wrote:
> > > > > The idea would be to provide a path from a binary on disk to a GPG
> > > > > signature for installed packages of which the user no longer has the
> > > > > .deb file from which it was originally installed, nor the Packages
> > > > > and/or Release.gpg file that was used to download it.
>
> <snip>
>
> > Hu?! Retrieving the SHA1 checksum is done by running "sha1sum
> > /the/file"... I don't see what dpkg would bring here. Furthermore,
> > the content of a file might not change at each release which means it's
> > not a one-to-one mapping but a one-to-many mapping.
>
> The scenario suggested by Wouter quote above is that the user has
> deleted *part* of an installed package (e.g. a mistaken "rm" somewhere
> under /usr/share/package/),
I did not read this in his words. I read that he wants to verify that the
installed files correspond to files that were signed by Debian without
having to keep around .deb files and/or Packages/Release files.
> It is my understanding that achieving the goal that you and Wouter
> agreed upon would provide the step "/the/file" -->> checksum of the
> owning .deb. If this is the case, the circle is closed.
Not in any straightforward way AFAIK. We get a checksum file for each
package listing the SHA1 of all installed files but that's all.
If you want the checksum of the "owning .deb" you have to record it at
installation time, you can't reconstruct it from the installed files even
with the new checksum file.
Cheers,
--
Raphaël Hertzog
Like what I do? Sponsor me: http://ouaza.com/wp/2010/01/05/5-years-of-freexian/
My Debian goals: http://ouaza.com/wp/2010/01/09/debian-related-goals-for-2010/
Reply to: