[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian packages without md5sums

On Sat, Oct 06, 2007 at 20:02:43 -0700, Carl Johnson wrote:
> Florian Kulzer writes:


[ We are discussing about verifying the content of Debian DVDs. ]

> > First you need to download the files which list these checksums:
> > 
> >   wget http://cdimage.debian.org/debian-cd/4.0_r1/i386/iso-dvd/MD5SUMS{,.sign}
> >   wget http://cdimage.debian.org/debian-cd/4.0_r1/i386/iso-dvd/SHA1SUMS{,.sign}
> I didn't notice until after I downloaded them that they are i386, but
> I have amd64, but it was easy enough to find the amd64 ones.  Then I
> noticed that they are 4.0_r1 and I just have the original 4.0.  That
> is where I struck out and was unable to find any other than r1.

Googling for "debian-40r0-amd64-DVD-1.iso" finds a few places that list
the checksums for 4.0r0, for example:


You can compare your md5/sha1sums with the ones listed there. That is
nowhere near as good as having a signed file, but it is better than


> I ended up doing this anyways, since they are official DVDs from a
> vendor listed at debian.org.

It does not hurt to check against the checksums on the web. One of the
DVDs might have been produced incorrectly or might have been damaged
since. (Most physical damage would probably have shown up already as a
read error when you ran md5/sha1sum, though.)

> I was going to file a bug about the
> Release.gpg not being present, until I suddenly realized that they
> can't put them on the ISO image without changing the checksum.

This is a minor point, but let me clarify: The "Release.gpg" file only
vouches for the content of the "Release" file and nothing else. The
Release file has the checksums for the "Packages", "Packages.gz", and
"Packages.bz2" files, which in turn list the checksums for the
individual .deb packages. You can look at all these files, they are just
(compressed) ASCII text.

Therefore it would be possible to put Release.gpg files on the CDs and
DVDs. Maybe this is not done because the security implications are
different for physical media than they are for repeatedly downloading
packages from the net.


> > > I should have been more clear about that.  I don't have different
> > > versions since I just have packages from the Etch DVDs.  It isn't in
> > > the actual aptitude list, but instead in the individual package
> > > entries.  The list of packages that depend on the package sometimes
> > > shows duplicate entries for packages that I already have.  This may
> > > just be an artifact of the way that aptitude tracks reverse
> > > dependencies.  An example is under apt, the list of 'packages which
> > > depend on apt' includes:
> > > 
> > > i     debtags 1.6.6                                                                                           
> > > i     debtags 1.6.6
> > 
> > Hmm, can you post the output of "apt-cache policy debtags"?
> Here it is, but debtags isn't the only one:
> debtags:
>   Installed: 1.6.6
>   Candidate: 1.6.6
>   Version table:
>  *** 1.6.6 0
>         500 cdrom://[Debian GNU/Linux 4.0 r0 _Etch_ - Official amd64 DVD Binary-1 20070407-12:15] etch/main Packages
>         100 /var/lib/dpkg/status

That looks OK to me. I don't understand why you get these duplicate
entries in aptitude's interactive interface.

Regards,            | http://users.icfo.es/Florian.Kulzer
          Florian   |

Reply to: