[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

md5sums (was Re: System integrity...)



On Sat, Jun 12, 1999 at 11:29:09PM +0200, Thomas Schoepf wrote:
> On Sat, 12 Jun 1999, Chris Leishman wrote:
> 
> > A program such as cruft could be produced that also verified binary signatures
> > against those in the original packages - thus highlighting non-debian
> > binaries without the need of a tripwire database.
> 
> I once wrote a little perl script that does it the other way round:
> Compare all files listed in /var/lib/dpkg/info/*.md5sums with their 
> versions currently stored in the real filesystem.
> But it takes some time to run: something between 5 and 10 minutes to check
> about 500 MB on my AMD K6-266 with a DCAS SCSI disk.
> 
> If you're interested in it, just tell me.
> 

Hmm...this is precisely what I was talking about.  I didn't realise that some
packages kept md5sums of all there contents (including those in /usr/bin, etc).
Unfortunately, not every package has a .md5sums file.

What is the criteria that determines which packages get .md5sums files
stored in /var/lib/dpkg/info/ ??  

What I would prefer to see, however, is this information stored in a file
similar to the packages file on the master server (and mirrors).  That way
the integrity of the signatures could be more assured.

Chris


-- 

----------------------------------------------------------------------
       As a computer, I find your faith in technology amusing.
----------------------------------------------------------------------
Reply with subject 'request key' for PGP public key.  KeyID 0xA9E087D5

Attachment: pgpaHIrKvRMRp.pgp
Description: PGP signature


Reply to: