On Sat, Aug 28, 2004 at 04:49:14PM +0200, Ingo Wilken wrote: > This list is rather useless - it only shows the file name and the > package name for every file contained in the package. It should also > provide the MD5 hash of every file. This would help for quick manual > checks whether an installed binary was compromised: Boot from a CDROM- > based distribution (e.g. Knoppix), run md5sum on the suspect file and > compare it to the listing on the package page. For now I have to > download the whole package and extract the control information to get > a MD5 string that can be trusted (since /var/lib/dpkg/info/ on that > machine might be manipulated too). This idea was actually brought up on debian-devel a while back IIRC. I would like the archive to have a single file similar to the Contents file that contained both md5sum and standard permissions of all the files in the archive. That would probably need four columns: package, filename, permissions and md5sum. Providing this file for released versions of debian and having it signed (maybe by including this in the Release file whose signature is available in Release.gpg) would make it easier to do forensic analysis of Debian systems and avoid developers to either use KnownGoods [1] or a data file they need to generate byhand from a local archive copy. I've actually been working on this for a bit and have written a quick shell script that should be able to generate the file above. Maybe somebody could review|improve|fix it so that the FTP admins can run it in the archive.... Regards Javier [1] http://www.knowngoods.org/download.html
Attachment:
release-md5sums.sh
Description: Bourne shell script
Attachment:
signature.asc
Description: Digital signature