Re: Debian packages MD5 sums
On Wed, May 15, 2002 at 11:14:18PM +0100, Colin Watson wrote:
> On Wed, May 15, 2002 at 05:41:45PM -0400, Andy Saxena wrote:
> > On Mon, May 13, 2002 at 02:57:03PM -0500, Alex Malinovich wrote:
> > > On Mon, 2002-05-13 at 13:54, Scott Henson wrote:
> > > > Try debsums. Not all packages have it, but some do.
> >
> > I keep seeing this statement often, but I must not be understanding it
> > completely.
> >
> > If I do:
> >
> > $ zless Packages.gz | egrep "^Package: " | wc -l
> > 8907
> >
> > $ zless Packages.gz | egrep "^MD5sum: " | wc -l
> > 8907
>
> Those aren't related to debsums. The MD5sum: lines in package files sum
> the whole package (the .deb); the quoted text above refers to 'md5sums'
> files in the control areas of packages, installed in
> /var/lib/dpkg/info/*.md5sums, that sum individual files in the package.
>
> Cheers,
>
> --
> Colin Watson [cjwatson@flatline.org.uk]
>
Thanks, that explains it perfectly. A little while back I had asked on
this list if it were possible to verify integrity of packages downloaded
from a mirror. The discussion didn't go very far.
Since the Packages.gz has md5sums for the entire package, one scheme
would be to download this file from a trusted source, like the main
Debian website, and then compare these checksums to the downloaded
packages that come from a mirror site.
Has somebody already come up with a package that does this? Again, my
knowledge on this topic may be lacking, but it seems a lot of trust is
placed in the administrators of mirror sites. How difficult would it be
for an errant administrator to substitute the official packages with one
of his own trojans?
Thanks, again.
Andy
--
To UNSUBSCRIBE, email to debian-user-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: