Re: verifying a Debian package

To: Debian Users <debian-user@lists.debian.org>
Subject: Re: verifying a Debian package
From: Paul Yeatman <pyeatman@ucsd.edu>
Date: Wed, 3 Sep 2003 10:59:25 -0700
Message-id: <[🔎] 20030903175925.GC25300@ucsd.edu>
In-reply-to: <[🔎] 20030903104729.GN2761@ganymede>
References: <[🔎] 20030902232040.GA25300@ucsd.edu> <[🔎] 20030903104729.GN2761@ganymede>

Ah, thanks so much!  I wasn't aware of 'debsums'.  Not having checked
it out yet, it sounds like what I am inquiring about.  I'm installing
it now.  I'm more interested in the corruption case than the hacker one
so I believe debsums is the answer.  Thanks to both of you for imputs.

Paul


->>In response to your message<<-
  --received from Karsten M. Self--
>
> on Tue, Sep 02, 2003 at 04:20:40PM -0700, Paul Yeatman (pyeatman@ucsd.edu) wrote:
> > Hi, just curious if anyone knows how to "verify" a package with
> > Debian.  This has proved to be useful with some Red Hat machines I
> > administer ("rpm {-V|--verify} <package name>").  Such a command will
> > check that all the files and their attributes are as expected for that
> > package.  I've check the manual page for dpkg a few times but have
> > not come up with an equivalent command for Debian yet.
> 
> Debian packages aren't signed.  There are authentication requirements
> for uplaoding packages to distribution servers.
> 
> There are various reasons for this.  Joey Hess is probably closest to
> the authoritative source.
> 
> Many files within many debian packages _do_ have MD5 sums.  The debsums
> package allows you to validate installed files against an md5sum
> database.  Think through what it is you're trusting when you do this.
> 
> There's some interestign online discussion of this issue.  See:
> 
>     FROM: Anthony Towns
>     DATE: 04/04/2000 01:59:57
>     SUBJECT:  Packages and Signatures, a summary
>     http://www.geocrawler.com/archives/3/216/2000/4/1550/3549735/
> 
>     Subject: Re: ITP: mini-dinstall -- daemon for updating Debian
>     packages in a repository
>     From: Joey Hess <joeyh@debian.org>
>     Date: Sun, 18 Aug 2002 20:37:11 -0400
>     http://lists.debian.org/debian-devel/2002/debian-devel-200208/msg01172.html
> 
>     Subject: Checking Signatures and Checksums
>     From: Aurelio Turco <a.turco@bom.gov.au>
>     Date: Tue, 03 Sep 2002 07:18:08 +0000
>     http://cert.uni-stuttgart.de/archive/debian/user/2002/09/msg00339.html
> 
> There's also a debsig-verify package, which I just learned about
> researching this question ;-)
> 
> This is a FAQ, but I'm not coming up with a definitive answer at the
> Debian FAQ:  http://www.debian.org/doc/FAQ/
> 
> 
> Peace.
> 
> -- 
> Karsten M. Self <kmself@ix.netcom.com>        http://kmself.home.netcom.com/
>  What Part of "Gestalt" don't you understand?
>     Defeat EU Software Patents!                         http://swpat.ffii.org/



-- 
Paul Yeatman       (858) 534-9896        pyeatman@ucsd.edu
	     ==================================
	     ==Proudly brought to you by Mutt==
	     ==================================

Reply to:

References:
- verifying a Debian package
  - From: Paul Yeatman <pyeatman@ucsd.edu>
- Re: verifying a Debian package
  - From: "Karsten M. Self" <kmself@ix.netcom.com>

Prev by Date: Re: Apache/DSL Modem/Port Forwarding
Next by Date: Re: keep files up-to-date (mirror?)
Previous by thread: Re: verifying a Debian package
Next by thread: Voodoo Graphics still supported?
Index(es):
- Date
- Thread