Re: Verifying my debs / suggestion for ISO downloads

[John Pearson <huiac@camtech.net.au>]

On Wed, Aug 30, 2000 at 02:03:18AM +0800, csj@mindgate.net wrote
> So I'm now on the point of downloading my potato.
> 
> What's the Debian equivalent of a Redhat <rpm --checksig *.rpm>? This command
> is supposed to verify the package signatures (md5, pgp, gpg -- but I've gone
> only as far as the md5).
> 
> How do I know if my download is all right? I have a more or less working Storm
> Linux installation, so I guess I can dpkg it.
> 
> BTW: I downloaded my Storm thru Linuxberg. The iso image came in 45 mb
> chunks, with an MD5 sum check list for all. A cool idea. Why hasn't anybody
> else thought of this (or have I been looking in the wrong places)? A simple
> "split" command can break up that 650 ton blue whale into more manageable
> kittens. For the clueless downloader, we can provide a simple "cat" script
> to piece together the bits (as Linuxberg and/or Storm Linux has done.).
> 

The debian website contains a file 'md5sums.gz', which contains
md5sums for the files you will be downloading (and more besides)
but AFAICT there is no 'automated' way to check individual
packages.

A better solution IMHO is to use rsync to download the packages,
which effectively verifies the files as they are downloaded; it
doesn't protect you against packages that are corrupt on
Debian's site, but that's only happened a couple of times in the
last few years across all of the supported architectures.  Rsync
also makes it much easier and faster to maintain your mirror,
to (e.g.) ensure that you always have the latest security
updates. 


John P.
-- 
huiac@camtech.net.au
john@huiac.apana.org.au
http://www.mdt.net.au/~john Debian Linux admin & support:technical services