Re: Debian packages without md5sums
Florian Kulzer <florian.kulzer+debian@icfo.es> writes:
> On Sat, Oct 06, 2007 at 20:02:43 -0700, Carl Johnson wrote:
> > Florian Kulzer writes:
>
> [...]
>
> [ We are discussing about verifying the content of Debian DVDs. ]
>
> > > First you need to download the files which list these checksums:
> > >
> > > wget http://cdimage.debian.org/debian-cd/4.0_r1/i386/iso-dvd/MD5SUMS{,.sign}
> > > wget http://cdimage.debian.org/debian-cd/4.0_r1/i386/iso-dvd/SHA1SUMS{,.sign}
> >
> > I didn't notice until after I downloaded them that they are i386, but
> > I have amd64, but it was easy enough to find the amd64 ones. Then I
> > noticed that they are 4.0_r1 and I just have the original 4.0. That
> > is where I struck out and was unable to find any other than r1.
>
> Googling for "debian-40r0-amd64-DVD-1.iso" finds a few places that list
> the checksums for 4.0r0, for example:
>
> http://www.mail-archive.com/debian-cd@lists.debian.org/msg16901.html
>
> You can compare your md5/sha1sums with the ones listed there. That is
> nowhere near as good as having a signed file, but it is better than
> nothing.
I tried verifying against those, but my mine don't compare, so I don't
know what is happening.
> > I ended up doing this anyways, since they are official DVDs from a
> > vendor listed at debian.org.
>
> It does not hurt to check against the checksums on the web. One of the
> DVDs might have been produced incorrectly or might have been damaged
> since. (Most physical damage would probably have shown up already as a
> read error when you ran md5/sha1sum, though.)
Right, that's what I figure also.
> > I was going to file a bug about the
> > Release.gpg not being present, until I suddenly realized that they
> > can't put them on the ISO image without changing the checksum.
>
> This is a minor point, but let me clarify: The "Release.gpg" file only
> vouches for the content of the "Release" file and nothing else. The
> Release file has the checksums for the "Packages", "Packages.gz", and
> "Packages.bz2" files, which in turn list the checksums for the
> individual .deb packages. You can look at all these files, they are just
> (compressed) ASCII text.
>
> Therefore it would be possible to put Release.gpg files on the CDs and
> DVDs. Maybe this is not done because the security implications are
> different for physical media than they are for repeatedly downloading
> packages from the net.
Thanks for the clarification. I had completely missed that. I will
file a wishlist bug on debian-installer. I don't know if that is the
right place, but if not they should notify me where it should be sent.
Thanks again for all of your help.
--
Carl Johnson carlj@peak.org
Reply to: