On Mon, 25 Jun 2001, Ian C. Sison wrote:
> Curious. Does the debian package system maintain stuff like MD5
> signatures for the files, as well as version and release information? In
> what format is it stored? For instance, if a box has been hacked, can
> youn dpkg with a switch that will allow you to check the md5 sigs of each
> file in its database?
MD5 signatures for which files? Installed files? Downloaded files?
The newer .deb files have MD5sums in them. I think that's one feature
Debian folk found nice in RPM and they absorbed that feature into the dpkg
system at a certain point (just this year, I think).
Debian also has GPG/PGP sigs on key files with MD5 sums as well.
To illustrate, here's an example .dsc file for util-linux:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.0
Source: util-linux
Version: 2.11d-1
Binary: bsdutils, mount, util-linux-locales, util-linux
Maintainer: Adrian Bunk <[EMAIL PROTECTED]>
Architecture: any
Standards-Version: 526.7.8.9.13-Foo.6
Build-Depends: libncurses5-dev, slang1-dev, gettext
Files:
d84a08a3dafbb1bb2fc88ece35e805cd 1293777 util-linux_2.11d.orig.tar.gz
731a4d9e30e5ea2ae83d44624ceb4610 47048 util-linux_2.11d-1.diff.gz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.5 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE7EPrEmfzqmE8StAARAhCQAKChxnI2Boj7hyNMvg9n1lnkCHXGSgCgmm85
JiARwfVXFx1rl+xmgVMxYmM=
=ko3M
-----END PGP SIGNATURE-----
The diff file provides modifications to the source primarily to make the
original sources "fit" the Debian Filesystem Hierarchy Standard (FHS) for
placement of configuration files, documentation files, non-modifiable
files, etc. This gives a semblance of order in the whole system that you
would like to expect instead of just a collection of programs from
different sources with different schemes for file placement. Using
tarballs from a variety of authors will probably confuse you to no end
about config file placement for example. One author will write code to
expect the config file in /etc/foo.cfg, another will want it in
/usr/local/etc/foo.cfg, and yet another will write his program to look for
it in /opt/lib/foo.cfg. What packaging systems provide is a coherent
organization of files and their placement. This alone is a major reason to
shift to a distribution that provides a packaging system.
The diffs also incorporate patches that either fix bugs or add new
features not in the upstream tarball. Configuration programs are added
that provide the Debian feel. X programs have hooks to the menu system
that Debian provides so adding new programs to your system gets integrated
into your X window manager's menu (just as an example).
The diffs also add default configuration files, man pages (some upstream
sources do not have man pages), a list of files included in the resulting
binary package as well as their final locations, one to four scripts used
in installation or removal of the package (util-linux.[pre,post][inst,rm])
and other goodies that I don't have a handle on at this late in the
morning. (geez... it's 5am and i'm still up)
To build a binary from the sources, I would use "apt-get source
util-linux" in a directory where I want the source tree to be built.
Usually this will be in /usr/src, but I could opt to do this elsewhere so
I can experiment with it. apt-get then pulls the .dsc, orig.tar.gz and the
diff.gz into my current working directory. After apt-get has completed
pulling those three files from upstream, dpkg-source kicks in and reads
the .dsc file, untars the orig.tar.gz, and applies the diffs. I now have a
util-linux-<version.pl> subdirectory to which I cd to. I can mess around
with the sources if I wanted, then build a new .deb binary by typing
"debian/rules build" then "debian/rules binary". This will produce a
spanking clean <package-name>.deb in the parent directory which I can now
install like a regular debian package pulled from the main repositories
using "dpkg -i <package-name>.deb".
More info on this in the Debian GNU/Linux FAQ
(http://www.debian.org/doc/FAQ/) if you're interested.
-x
___ eric pareja ([EMAIL PROTECTED]) ~-=[O]=-~ Here, have a clue. Get the picture.
\@/ PGP key at http://gra.ph/~xenos/xenos.pgp <|PLUG|> http://gra.ph
v "Even the smallest person can change the course of the future."
- Lady Galadriel in J.R.R. Tolkien's "The Lord of the Rings"
_
Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph
To leave: send "unsubscribe" in the body to [EMAIL PROTECTED]
To subscribe to the Linux Newbies' List: send "subscribe" in the body to
[EMAIL PROTECTED]
