[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: verifying a Debian package

Ah, thanks so much!  I wasn't aware of 'debsums'.  Not having checked
it out yet, it sounds like what I am inquiring about.  I'm installing
it now.  I'm more interested in the corruption case than the hacker one
so I believe debsums is the answer.  Thanks to both of you for imputs.


->>In response to your message<<-
  --received from Karsten M. Self--
> on Tue, Sep 02, 2003 at 04:20:40PM -0700, Paul Yeatman (pyeatman@ucsd.edu) wrote:
> > Hi, just curious if anyone knows how to "verify" a package with
> > Debian.  This has proved to be useful with some Red Hat machines I
> > administer ("rpm {-V|--verify} <package name>").  Such a command will
> > check that all the files and their attributes are as expected for that
> > package.  I've check the manual page for dpkg a few times but have
> > not come up with an equivalent command for Debian yet.
> Debian packages aren't signed.  There are authentication requirements
> for uplaoding packages to distribution servers.
> There are various reasons for this.  Joey Hess is probably closest to
> the authoritative source.
> Many files within many debian packages _do_ have MD5 sums.  The debsums
> package allows you to validate installed files against an md5sum
> database.  Think through what it is you're trusting when you do this.
> There's some interestign online discussion of this issue.  See:
>     FROM: Anthony Towns
>     DATE: 04/04/2000 01:59:57
>     SUBJECT:  Packages and Signatures, a summary
>     http://www.geocrawler.com/archives/3/216/2000/4/1550/3549735/
>     Subject: Re: ITP: mini-dinstall -- daemon for updating Debian
>     packages in a repository
>     From: Joey Hess <joeyh@debian.org>
>     Date: Sun, 18 Aug 2002 20:37:11 -0400
>     http://lists.debian.org/debian-devel/2002/debian-devel-200208/msg01172.html
>     Subject: Checking Signatures and Checksums
>     From: Aurelio Turco <a.turco@bom.gov.au>
>     Date: Tue, 03 Sep 2002 07:18:08 +0000
>     http://cert.uni-stuttgart.de/archive/debian/user/2002/09/msg00339.html
> There's also a debsig-verify package, which I just learned about
> researching this question ;-)
> This is a FAQ, but I'm not coming up with a definitive answer at the
> Debian FAQ:  http://www.debian.org/doc/FAQ/
> Peace.
> -- 
> Karsten M. Self <kmself@ix.netcom.com>        http://kmself.home.netcom.com/
>  What Part of "Gestalt" don't you understand?
>     Defeat EU Software Patents!                         http://swpat.ffii.org/

Paul Yeatman       (858) 534-9896        pyeatman@ucsd.edu
	     ==Proudly brought to you by Mutt==

Reply to: