[
https://issues.apache.org/jira/browse/COMPRESS-133?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13809038#comment-13809038
]
Bear Giles commented on COMPRESS-133:
-------------------------------------
To give you two examples of how this can be used:
1. The deb format for the package 'foo' includes a file containing MD5
checksums for all of the files in the package, stored in
/var/lib/dpkg/info/foo.md5sums. This can be used to verify the contents of
the package, e.g., to detect modification. However a really paranoid site
may not trust the contents of this file since it's well-known - a
sophisticated attacker could modify the contents of this file. This would
not be caught by the cryptographic signatures on the .deb files. A paranoid
site may wish to periodically download the package and either compare the
checksums in the control file or even recompute all values by opening the
data.tar.gz file.
It's worth noting that a few packages break the spec and don't include
checksums for all of the included files. The standard Debian tools create
this file automatically but it's not difficult for somebody to create a
file manually.
2. A more sophisticated approach will check file ownership and permissions.
AFAIK this information is not stored in the /var/lib/dpkg/info directory so
the only way to do that is to scan data.tar.gz file yourself.
(As an aside you can check for 'unknown' files by concatenating all of the
/var/lib/dpkg/info/*.md5sums files and running 'md5sums' on the /usr, /bin
and /sbin directories and diff'ing them. /lib may show differences in
symlinks, and /etc has a lot of 'control' files. It won't catch rootkits
but it will catch files that didn't come from a .deb package.)
Bear
> Mention Debian/Ubuntu packages in AR format documentation
> ---------------------------------------------------------
>
> Key: COMPRESS-133
> URL: https://issues.apache.org/jira/browse/COMPRESS-133
> Project: Commons Compress
> Issue Type: Improvement
> Components: Documentation
> Reporter: Bear Giles
> Priority: Trivial
>
> The documentation for the AR format can/should mention that it is the basis
> for Debian/Ubuntu packages. A .deb file is actually an AR file with three
> elements:
> _debian-binary_: version number ("2.0")
> _data.tar.gz_: compressed tarball containing the package's files
> _control.tar.gz_: compressed tarball containing the package's metadata
> (information, installation and removal scripts, etc.)
> People will normally want to use the Debian package management tools but it's
> nice to know that we can access the 'original' content if necessary.
--
This message was sent by Atlassian JIRA
(v6.1#6144)
