Hi Elmar! This is a most interesting tool!
The opensuse logo on http://www.elstel.org/debcheckroot/ is confusing, since this is a Debian tool. This might scare of interested people. > As Debian package headers do not use to be signed I think you are mistaken here or maybe I misunderstand. When you have a Debian medium you trust (such as a Live DVD from a trusted source), we can regard keys in /etc/apt/trusted.gpg.d/ and /etc/apt/trusted.gpg as trusted. For example http://ftp.us.debian.org/debian/dists/jessie/InRelease and http://ftp.us.debian.org/debian/dists/jessie/Release.gpg are gpg signed by the Debian archive key. So when you run apt-get update followed by apt-get download $packagename, you get a package that is signed by Debian archive key. You can then unpack the package, create sha sums of all it's contents and then compare with the installed system. Sure, it's not perfect, but worth verifying this trust chain. It would be better/cleaner/simpler to implement this if Debian would publish signed sha sums files of all package contents. Lot's of opportunities to improve Debian in order to implement such a feature here. - I once attempted to write a script that can be run from a Live DVD to audit an installed Debian on hdd or to mount an image with Debian and to audit that. That script can be found here: https://github.com/Whonix/whonix-developer-meta-files/blob/master/deprecated_code/verify_build This approach seemed futile to me. At least for now. There are too many files, that are automatically generated created by postinst scripts. For example /usr/lib/pymodules/python2.7/**/__init__.pyc gets automatically generated. Even worse, the file is non-deterministic. In future situation may improve: https://wiki.debian.org/ReproducibleBuilds It would also help if Debian had an OEM mode. Links to these discussions can be found here: http://lists.alioth.debian.org/pipermail/reproducible-builds/Week-of-Mon-20131209/000010.html - For Whonix, Verifiable Builds have been implemented, which is similar to this tool: http://lists.alioth.debian.org/pipermail/reproducible-builds/Week-of-Mon-20131209/000009.html As a maintainer of Whonix and interested in that feature, I am naturally interested in your tool. > Why you should not use debsums Please don't be so harsh on debsums. It's not for backdoor detection, but great as a simple integrity check. Cheers, Patrick -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/53401fdb.9010...@riseup.net