On Sat, Jun 12, 1999 at 11:29:09PM +0200, Thomas Schoepf wrote: > On Sat, 12 Jun 1999, Chris Leishman wrote: > > > A program such as cruft could be produced that also verified binary signatures > > against those in the original packages - thus highlighting non-debian > > binaries without the need of a tripwire database. > > I once wrote a little perl script that does it the other way round: > Compare all files listed in /var/lib/dpkg/info/*.md5sums with their > versions currently stored in the real filesystem. > But it takes some time to run: something between 5 and 10 minutes to check > about 500 MB on my AMD K6-266 with a DCAS SCSI disk. > > If you're interested in it, just tell me. > Hmm...this is precisely what I was talking about. I didn't realise that some packages kept md5sums of all there contents (including those in /usr/bin, etc). Unfortunately, not every package has a .md5sums file. What is the criteria that determines which packages get .md5sums files stored in /var/lib/dpkg/info/ ?? What I would prefer to see, however, is this information stored in a file similar to the packages file on the master server (and mirrors). That way the integrity of the signatures could be more assured. Chris -- ---------------------------------------------------------------------- As a computer, I find your faith in technology amusing. ---------------------------------------------------------------------- Reply with subject 'request key' for PGP public key. KeyID 0xA9E087D5
Attachment:
pgpr7Ixhzo0PR.pgp
Description: PGP signature