On Sat, Jun 12, 1999 at 11:29:09PM +0200, Thomas Schoepf wrote:
> On Sat, 12 Jun 1999, Chris Leishman wrote:
>
> > A program such as cruft could be produced that also verified binary signatures
> > against those in the original packages - thus highlighting non-debian
> > binaries without the need of a tripwire database.
>
> I once wrote a little perl script that does it the other way round:
> Compare all files listed in /var/lib/dpkg/info/*.md5sums with their
> versions currently stored in the real filesystem.
> But it takes some time to run: something between 5 and 10 minutes to check
> about 500 MB on my AMD K6-266 with a DCAS SCSI disk.
>
> If you're interested in it, just tell me.
>
Hmm...this is precisely what I was talking about. I didn't realise that some
packages kept md5sums of all there contents (including those in /usr/bin, etc).
Unfortunately, not every package has a .md5sums file.
What is the criteria that determines which packages get .md5sums files
stored in /var/lib/dpkg/info/ ??
What I would prefer to see, however, is this information stored in a file
similar to the packages file on the master server (and mirrors). That way
the integrity of the signatures could be more assured.
Chris
--
----------------------------------------------------------------------
As a computer, I find your faith in technology amusing.
----------------------------------------------------------------------
Reply with subject 'request key' for PGP public key. KeyID 0xA9E087D5
Attachment:
pgpr7Ixhzo0PR.pgp
Description: PGP signature