On Sat, Oct 06, 2007 at 20:02:43 -0700, Carl Johnson wrote: > Florian Kulzer writes:
[...] [ We are discussing about verifying the content of Debian DVDs. ] > > First you need to download the files which list these checksums: > > > > wget > > http://cdimage.debian.org/debian-cd/4.0_r1/i386/iso-dvd/MD5SUMS{,.sign} > > wget > > http://cdimage.debian.org/debian-cd/4.0_r1/i386/iso-dvd/SHA1SUMS{,.sign} > > I didn't notice until after I downloaded them that they are i386, but > I have amd64, but it was easy enough to find the amd64 ones. Then I > noticed that they are 4.0_r1 and I just have the original 4.0. That > is where I struck out and was unable to find any other than r1. Googling for "debian-40r0-amd64-DVD-1.iso" finds a few places that list the checksums for 4.0r0, for example: http://www.mail-archive.com/[EMAIL PROTECTED]/msg16901.html You can compare your md5/sha1sums with the ones listed there. That is nowhere near as good as having a signed file, but it is better than nothing. [...] > I ended up doing this anyways, since they are official DVDs from a > vendor listed at debian.org. It does not hurt to check against the checksums on the web. One of the DVDs might have been produced incorrectly or might have been damaged since. (Most physical damage would probably have shown up already as a read error when you ran md5/sha1sum, though.) > I was going to file a bug about the > Release.gpg not being present, until I suddenly realized that they > can't put them on the ISO image without changing the checksum. This is a minor point, but let me clarify: The "Release.gpg" file only vouches for the content of the "Release" file and nothing else. The Release file has the checksums for the "Packages", "Packages.gz", and "Packages.bz2" files, which in turn list the checksums for the individual .deb packages. You can look at all these files, they are just (compressed) ASCII text. Therefore it would be possible to put Release.gpg files on the CDs and DVDs. Maybe this is not done because the security implications are different for physical media than they are for repeatedly downloading packages from the net. [...] > > > I should have been more clear about that. I don't have different > > > versions since I just have packages from the Etch DVDs. It isn't in > > > the actual aptitude list, but instead in the individual package > > > entries. The list of packages that depend on the package sometimes > > > shows duplicate entries for packages that I already have. This may > > > just be an artifact of the way that aptitude tracks reverse > > > dependencies. An example is under apt, the list of 'packages which > > > depend on apt' includes: > > > > > > i debtags 1.6.6 > > > > > > i debtags 1.6.6 > > > > Hmm, can you post the output of "apt-cache policy debtags"? > > Here it is, but debtags isn't the only one: > > debtags: > Installed: 1.6.6 > Candidate: 1.6.6 > Version table: > *** 1.6.6 0 > 500 cdrom://[Debian GNU/Linux 4.0 r0 _Etch_ - Official amd64 DVD > Binary-1 20070407-12:15] etch/main Packages > 100 /var/lib/dpkg/status That looks OK to me. I don't understand why you get these duplicate entries in aptitude's interactive interface. -- Regards, | http://users.icfo.es/Florian.Kulzer Florian | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
