[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Package verification ? (Best practice)


On Sun, Oct 05, 2003 at 09:38:30AM +1000, Brian May wrote:
> On Sat, Oct 04, 2003 at 01:42:36PM -0400, Fabien Ninoles wrote:
> > Although your proposition seems more complete, have you try
> > debsums and checksecurity?  debsums with the following
> > feature in /etc/apt/apt.conf
> > 
> > DPkg::Post-Invoke {
> >         "debsums --generate=nocheck -sp /var/cache/apt/archives";
> > };
> > 
> > Can be very handy in creating md5sums (BTW, I think it's a bug
> > against policy to include md5sums in control files).
> Is there some way you can do the same thing for packages installed with
> dpkg only and without apt-get? The apt-get layer would appear to be the
> wrong layer for this task IMHO.

Very true.

By the way(thus changing title), the equivalent for above less
interesting but still very good trick, I recommended:

  6.4.13 Verify installed package files

   debsums enables verification of installed package files against MD5
   checksums. Some packages do not have available MD5 checksums. A possible
   temporary fix for sysadmins:

      # cat >>/etc/apt/apt.conf.d/90debsums
      DPkg::Post-Install-Pkgs {"xargs /usr/bin/debsums -sg";};

   per Joerg Wendland joergland@debian.org (untested).

This one is better since it will be more compatible package upgrade by using
apt.conf.d/ .  But "-p" option maybe needed. "--generate=nocheck"  seems good idea.  

Post-Install-Pkgs with    xargs 
Post-Install      without xargs 

I do not know which is better.

Anyone have better suggestion?

(Maybe adding "apt-get --reinstall -d install `debsums -l`" trick is
also needed.)


PS: Full section of above quote is available as:

Reply to: