On Sunday 15 February 2009 18:06:55 Nikolaus Rath wrote: > But why do I need to make an explicit > snapshot of the system if all debian packages already contain the > necessary information? This information is tool-specific. It doesn't belong in the package. One Debian tool, debsums, does occasionally get it's version of this information shipped with the packages. But, not all of them (the packages) do. It's up to the packager to ship debsums or not, AFAIK. Sure, you could byte-by-byte compare against the file extracted from the .deb, but the .deb isn't retained (too long) after installation. > Is there no tool available that makes use of > it? debsums will make use of debsums-information in the packages, generate debsums-information for packages that don't have it (either as they are installed or afterwards), and verify the state of packages based on debsums- information. It does not concern itself with files that are not recorded in the dpkg database. It's also possible to use apt (or dpkg??) hooks to update other tools at installation/deinstallation time, but that might undermine the intent behind the tools. (An attacker can do whatever they want as long as they do it as a package?) -- Boyd Stephen Smith Jr. ,= ,-_-. =. bss@iguanasuicide.net ((_/)o o(\_)) ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-' http://iguanasuicide.net/ \_/
Attachment:
signature.asc
Description: This is a digitally signed message part.