l i n u x - u s e r s - g r o u p - o f - d a v i s
Next Meeting:
July 7: Social gathering
Next Installfest:
Latest News:
Jun. 14: June LUGOD meeting cancelled
Page last updated:
2008 Aug 12 01:32

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] Verify Ubuntu files
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] Verify Ubuntu files

Quoting Brian Lavender (brian@brie.com):

> I thoguht maybe with a live CD, that you could verify against a deb
> package repository.

Hmm, interesting problem.  Let's think about it.

The most obvious way would probably not be practical:  The binary .debs
you originally installed from were were in many cases shipped with the
md5sum values of all included files.  _If_ you were (hypothetically)
able to trust /var/lib/dpkg/info/*.md5sums , then "debsums -ca" would
check md5sum signatures against those files -- but those md5sum files
cannot be trusted on a suspect system any more than /var/lib/rpm/* can
on an RPM-based system.[1]

_If_ you could rebuild an equivalent of /var/lib/dpkg/info/*.md5sums
inside your live CD, working from repository info, then you could run
"debsums -ca" against that.  But the independent clause ("if...") of
that conditional sounds problematic.  ;->

If you had on trustworthy media, or could re-fetch, the .deb files from
which you had built your system, you could try this on them, which
Joey Hess said (a couple of years ago) that he keeps around as shell 
script "verifydeb":

dpkg --fsys-tarfile $1 | tar -C / -d

Anthony Towns's script apt-check-sigs is also worth looking through (though
I've not looked at it in years:

Apologies for not being able to give you a definitive answer, but I'm
dead-tired, and hope the URL pointers are useful.

[1] As this topic has come up more than a few times on various mailing
lists, I have more on the subject here:  "Package Signing" on
vox-tech mailing list

LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
O'Reilly and Associates
For numerous book donations.