[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Automatic debsums generation

Since security is on everybody's minds at the moment, I thought I
should share:

I wanted debsums for all of my packages, not just the ones where the
package includes them. This doesn't offer protection against
server-side hacks, but it's at least another bit of reassurance for a
local system.

If you'd like to do this as well:

1. Fetch all of the debs for packages without debsums existing:

apt-get install --reinstall -m -d `debsums -l`

2. Generate sums for these fetched packages:

debsums --generate=nocheck -s -p /var/cache/apt/archives

3. Create /etc/apt/apt.conf.d/40debsums:

DPkg::Post-Invoke {
"echo -n Making debsums... && debsums --generate=nocheck -s -p /var/cache/apt/archives && echo OK!||echo FAILED!";

Older versions of dpkg may just need the above added to the end of
apt.conf. In either case, this will make the sums automatically
generate when new packages are installed.

4. Any debs you built yourself will need manual sum generation with a
command similar to step 2 pointing to the directory with the debs.

Congratulations. Now tiger and other tools that use debsums for
automated security checks will have more data to work with.

If anyone can suggest improvements on the above, please comment. I'll
collect any improvements and mail the debsums maintainer to ask if he
can include this in future /usr/share/docs.

Attachment: signature.asc
Description: Digital signature

Reply to: