on Tue, Sep 02, 2003 at 04:20:40PM -0700, Paul Yeatman ([EMAIL PROTECTED]) wrote:
> Hi, just curious if anyone knows how to "verify" a package with
> Debian. This has proved to be useful with some Red Hat machines I
> administer ("rpm {-V|--verify} <package name>"). Such a command will
> check that all the files and their attributes are as expected for that
> package. I've check the manual page for dpkg a few times but have
> not come up with an equivalent command for Debian yet.
Debian packages aren't signed. There are authentication requirements
for uplaoding packages to distribution servers.
There are various reasons for this. Joey Hess is probably closest to
the authoritative source.
Many files within many debian packages _do_ have MD5 sums. The debsums
package allows you to validate installed files against an md5sum
database. Think through what it is you're trusting when you do this.
There's some interestign online discussion of this issue. See:
FROM: Anthony Towns
DATE: 04/04/2000 01:59:57
SUBJECT: Packages and Signatures, a summary
http://www.geocrawler.com/archives/3/216/2000/4/1550/3549735/
Subject: Re: ITP: mini-dinstall -- daemon for updating Debian
packages in a repository
From: Joey Hess <[EMAIL PROTECTED]>
Date: Sun, 18 Aug 2002 20:37:11 -0400
http://lists.debian.org/debian-devel/2002/debian-devel-200208/msg01172.html
Subject: Checking Signatures and Checksums
From: Aurelio Turco <[EMAIL PROTECTED]>
Date: Tue, 03 Sep 2002 07:18:08 +0000
http://cert.uni-stuttgart.de/archive/debian/user/2002/09/msg00339.html
There's also a debsig-verify package, which I just learned about
researching this question ;-)
This is a FAQ, but I'm not coming up with a definitive answer at the
Debian FAQ: http://www.debian.org/doc/FAQ/
Peace.
--
Karsten M. Self <[EMAIL PROTECTED]> http://kmself.home.netcom.com/
What Part of "Gestalt" don't you understand?
Defeat EU Software Patents! http://swpat.ffii.org/
pgp00000.pgp
Description: PGP signature
