Re: verifying a Debian package
Ah, thanks so much! I wasn't aware of 'debsums'. Not having checked
it out yet, it sounds like what I am inquiring about. I'm installing
it now. I'm more interested in the corruption case than the hacker one
so I believe debsums is the answer. Thanks to both of you for imputs.
Paul
->>In response to your message<<-
--received from Karsten M. Self--
>
> on Tue, Sep 02, 2003 at 04:20:40PM -0700, Paul Yeatman (pyeatman@ucsd.edu) wrote:
> > Hi, just curious if anyone knows how to "verify" a package with
> > Debian. This has proved to be useful with some Red Hat machines I
> > administer ("rpm {-V|--verify} <package name>"). Such a command will
> > check that all the files and their attributes are as expected for that
> > package. I've check the manual page for dpkg a few times but have
> > not come up with an equivalent command for Debian yet.
>
> Debian packages aren't signed. There are authentication requirements
> for uplaoding packages to distribution servers.
>
> There are various reasons for this. Joey Hess is probably closest to
> the authoritative source.
>
> Many files within many debian packages _do_ have MD5 sums. The debsums
> package allows you to validate installed files against an md5sum
> database. Think through what it is you're trusting when you do this.
>
> There's some interestign online discussion of this issue. See:
>
> FROM: Anthony Towns
> DATE: 04/04/2000 01:59:57
> SUBJECT: Packages and Signatures, a summary
> http://www.geocrawler.com/archives/3/216/2000/4/1550/3549735/
>
> Subject: Re: ITP: mini-dinstall -- daemon for updating Debian
> packages in a repository
> From: Joey Hess <joeyh@debian.org>
> Date: Sun, 18 Aug 2002 20:37:11 -0400
> http://lists.debian.org/debian-devel/2002/debian-devel-200208/msg01172.html
>
> Subject: Checking Signatures and Checksums
> From: Aurelio Turco <a.turco@bom.gov.au>
> Date: Tue, 03 Sep 2002 07:18:08 +0000
> http://cert.uni-stuttgart.de/archive/debian/user/2002/09/msg00339.html
>
> There's also a debsig-verify package, which I just learned about
> researching this question ;-)
>
> This is a FAQ, but I'm not coming up with a definitive answer at the
> Debian FAQ: http://www.debian.org/doc/FAQ/
>
>
> Peace.
>
> --
> Karsten M. Self <kmself@ix.netcom.com> http://kmself.home.netcom.com/
> What Part of "Gestalt" don't you understand?
> Defeat EU Software Patents! http://swpat.ffii.org/
--
Paul Yeatman (858) 534-9896 pyeatman@ucsd.edu
==================================
==Proudly brought to you by Mutt==
==================================
Reply to: