[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian packages without md5sums



Florian Kulzer <florian.kulzer+debian@icfo.es> writes:

> On Sat, Oct 06, 2007 at 20:02:43 -0700, Carl Johnson wrote:
> > Florian Kulzer writes:
> 
> [...]
> 
> [ We are discussing about verifying the content of Debian DVDs. ]
> 
> > > First you need to download the files which list these checksums:
> > > 
> > >   wget http://cdimage.debian.org/debian-cd/4.0_r1/i386/iso-dvd/MD5SUMS{,.sign}
> > >   wget http://cdimage.debian.org/debian-cd/4.0_r1/i386/iso-dvd/SHA1SUMS{,.sign}
> > 
> > I didn't notice until after I downloaded them that they are i386, but
> > I have amd64, but it was easy enough to find the amd64 ones.  Then I
> > noticed that they are 4.0_r1 and I just have the original 4.0.  That
> > is where I struck out and was unable to find any other than r1.
> 
> Googling for "debian-40r0-amd64-DVD-1.iso" finds a few places that list
> the checksums for 4.0r0, for example:
> 
> http://www.mail-archive.com/debian-cd@lists.debian.org/msg16901.html
> 
> You can compare your md5/sha1sums with the ones listed there. That is
> nowhere near as good as having a signed file, but it is better than
> nothing.

I tried verifying against those, but my mine don't compare, so I don't
know what is happening.

> > I ended up doing this anyways, since they are official DVDs from a
> > vendor listed at debian.org.
> 
> It does not hurt to check against the checksums on the web. One of the
> DVDs might have been produced incorrectly or might have been damaged
> since. (Most physical damage would probably have shown up already as a
> read error when you ran md5/sha1sum, though.)

Right, that's what I figure also.

> > I was going to file a bug about the
> > Release.gpg not being present, until I suddenly realized that they
> > can't put them on the ISO image without changing the checksum.
> 
> This is a minor point, but let me clarify: The "Release.gpg" file only
> vouches for the content of the "Release" file and nothing else. The
> Release file has the checksums for the "Packages", "Packages.gz", and
> "Packages.bz2" files, which in turn list the checksums for the
> individual .deb packages. You can look at all these files, they are just
> (compressed) ASCII text.
> 
> Therefore it would be possible to put Release.gpg files on the CDs and
> DVDs. Maybe this is not done because the security implications are
> different for physical media than they are for repeatedly downloading
> packages from the net.

Thanks for the clarification.  I had completely missed that.  I will
file a wishlist bug on debian-installer.  I don't know if that is the
right place, but if not they should notify me where it should be sent.

Thanks again for all of your help.
-- 
Carl Johnson		carlj@peak.org



Reply to: