Re: Draft: policy for vendors listed on Debian website
Luca Capello <email@example.com> wrote:
> $ wget [...]/debian-6.0.3-amd64-CD-1.iso
> $ gpg --verify MD5SUMS.sign
> I am not a CD expert, so a simple question: if I burn the verified image
> above (debian-6.0.3-amd64-CD-1.iso), do the following commands produces
> an image that will match its checksum in MD5SUMS?
> $ cat /dev/cdrom >image.iso
> $ dd if=/dev/cdrom of=image.iso
I am upstream developer of a burn program. Subscribed to debian-cd list.
Above method will work with CD written by write type SAO and with no
padding added by the burn program.
It will surely not work with CD written by type TAO, with DVD+RW,
or with BD-RE. Probably not with DVD+R and BD-R.
Reason is that media can deliver trailing garbage after the end
of the ISO image resp. that burn programs may write padding bytes
after the image.
You may be lucky and no trailing garbage is delivered. But you
cannot generally trust on this luck.
> If not, the only way to verify that the CD bought from any vendor comes
> actually from an "Official CD Debian image" is to verify the its
> content. The CD image contains an md5sum.txt file
> $ sudo mount -o loop debian-6.0.3-amd64-CD-1.iso /media/cdrom0
> $ cd /media/cdrom0/
> $ md5sum -c md5sum.txt && echo 'everything OK!'
I wrote a shell script as alternative to this. George Danchev recently
presented it to debian-cd list:
It determines the size of the ISO image and then pipes the appropriate
number of bytes through md5sum. The result is compared with a line from
Debian checksum files like MD5SUMS.
Human readable messages and exit value tell the result.
In your above example, the script run would look like
./check_debian_iso MD5SUMS CD-1 /dev/cdrom
Result on stdout would be either
MISMATCH: '/dev/cdrom' checksum differs from 'debian-6.0.3-amd64-CD-1.iso' in 'MD5SUMS'
with exit value 3, or
Ok: '/dev/cdrom' matches 'debian-6.0.3-amd64-CD-1.iso' in 'MD5SUMS'
with exit value 0.
For testing, download and rename it:
mv bincu5TxtRSZn.bin check_debian_iso
chmod o+x check_debian_iso
If you like it, give it a try on as many operating systems as possible,
and report your experiences.
Have a nice day :)