Re: Package verification and /usr/bin/install tool replacements

On Sat, Oct 04, 2003 at 04:39:49AM +1000, Kim Lester wrote: Some of the ideas I have implemented include a pkg info file in each package containing the pathname uid, gid (numeric) md5sum, size (useful to humans) mode symlink target (for symlinks) a

Re: Package verification

Matthew Palmer [EMAIL PROTECTED] wrote: On Wed, Oct 08, 2003 at 12:24:37AM +1000, Kim Lester wrote: There is no way to verify/correct the MODE, USER, GROUP, TYPE of any files installed in a pkg. If I am wrong please point out where, with an installed pkg (and preferably without having a copy

Re: Package verification

On Wednesday 08 October 2003 09:04, Andreas Metzler wrote: 'chown -R ...' accidentally excuted in the wrong directory comes to my mind. Or filesystem corruption after a hard crash. But then not only files from packages, but also user files are subject of corruption. Using a tool like

RE: Package verification

-Original Message- From: Brian May [mailto:[EMAIL PROTECTED] Sent: Sunday, October 05, 2003 9:39 AM To: Fabien Ninoles Cc: Kim Lester; debian-devel@lists.debian.org Subject: Re: Package verification and /usr/bin/install tool replacements On Sat, Oct 04, 2003 at 01:42:36PM -0400, Fabien

Re: Package verification

On Wed, Oct 08, 2003 at 12:24:37AM +1000, Kim Lester wrote: There is no way to verify/correct the MODE, USER, GROUP, TYPE of any files installed in a pkg. That appears to be the case, partly because permissions may be changed from those files which are contained withing the .deb file via

Re: Package verification

On Wed, Oct 08, 2003 at 12:24:37AM +1000, Kim Lester wrote: There is no way to verify/correct the MODE, USER, GROUP, TYPE of any files installed in a pkg. If I am wrong please point out where, with an installed pkg (and preferably without having a copy of the .dpkg around) once can tell if a

Package verification ? (Best practice)

Hmmm... On Sun, Oct 05, 2003 at 09:38:30AM +1000, Brian May wrote: On Sat, Oct 04, 2003 at 01:42:36PM -0400, Fabien Ninoles wrote: Although your proposition seems more complete, have you try debsums and checksecurity? debsums with the following feature in /etc/apt/apt.conf

RE: Package verification and /usr/bin/install tool replacements

solution does. regards kim -Original Message- From: Rene Engelhard [mailto:[EMAIL PROTECTED] Sent: Saturday, October 04, 2003 5:45 AM To: debian-devel@lists.debian.org Subject: Re: Package verification and /usr/bin/install tool replacements Kim Lester wrote: Although

Re: Package verification and /usr/bin/install tool replacements

Kim Lester wrote: Although debian packages may contain md5sums it seems package verification is not available (unless I have missed something). Although your proposition seems more complete, have you try debsums and checksecurity? debsums with the following feature in /etc/apt/apt.conf DPkg

Re: Package verification and /usr/bin/install tool replacements

On Sat, Oct 04, 2003 at 01:42:36PM -0400, Fabien Ninoles wrote: Although your proposition seems more complete, have you try debsums and checksecurity? debsums with the following feature in /etc/apt/apt.conf DPkg::Post-Invoke { debsums --generate=nocheck -sp /var/cache/apt/archives;

Package verification and /usr/bin/install tool replacements

Although debian packages may contain md5sums it seems package verification is not available (unless I have missed something). Also I find the traditional /usr/bin/install type tools rather primitive. As I understand it a debian pkg relies on information in the tar archive itself to store

Re: Package verification and /usr/bin/install tool replacements

Hi, Kim Lester wrote: Although debian packages may contain md5sums it seems package verification is not available (unless I have missed something). Probably you missed debsums... Grüße/Regards, René -- .''`. René Engelhard -- Debian GNU/Linux Developer : :' : http://www.debian.org

Re: New Source Formats and Source Package Verification

In article [EMAIL PROTECTED] you wrote: : BTW: Do you know anybody who really needs to put all the tools needed : to build source packages onto floppies? :-) Yes, I do. A friend has an older laptop that has a floppy drive, and that's his only current path of getting bits in and out. He may

Re: New Source Formats and Source Package Verification

[EMAIL PROTECTED] (Manoj Srivastava) wrote on 13.05.97 in [EMAIL PROTECTED]: Or, thirdly, we use pristine sources iff they are in supported formats, or else the upstream source is massaged into a supported format, and BIG signs are posted pointing to the real sources and the steps

Re: New Source Formats and Source Package Verification

, but not in the source tree. None of the mechanisms recently discussed are going to change that, so far as I can tell. * [5.1] Binary package verification (the issues here are substantially similar to those of source package verification). We should use the same package format for binary and source

Re: New Source Formats and Source Package Verification

Please clarify - unpacking a Debian source package is different than unpacking an upstream source package (which may require tar, unzip, zoo, lha, jar, etc.). Right? Andy Mortimer wrote: Personally, I'd be inclined to disagree here, especially given [1.5] below. If I've gone to all the

Re: New Source Formats and Source Package Verification

[EMAIL PROTECTED] (Andy Mortimer) wrote on 13.05.97 in [EMAIL PROTECTED]: On May 12, Jim Pick wrote Excellent write-up, Klee. Thanks for doing it. I second this; a lot of thought has obviously gone into this, and it shows! aol Me too! /aol * [1.1] It must be possible to

Re: New Source Formats and Source Package Verification

How about where part of the upstream archive could go into the main distribution, but part needs to go into non-free or non-US, even for the sources? That's a case where you _must_ repack the original archive. MfG Kai No. I'd just say upload the upstream sources to the non-US

Re: New Source Formats and Source Package Verification

Hi, Jim == Jim Pick [EMAIL PROTECTED] writes: Might it be possible to, say, have a list of `supported formats' -- .tar.gz, .zip, others? -- and at least give the option of downloading upstream sources which were originally in other formats as a tarball? This is far from ideal, for any number

Re: Package Verification

brian white writes (Re: Package Verification ): This is fine, but it doesn't help with verifying packages on non-Debian systems as is required by people who must do an actual FTP from another machine. As for the format, feel free to alter it. I figured I would be parsing this line out

Re: Package Verification

From: Ian Jackson [EMAIL PROTECTED] I suppose we could put the file size in the Packages file; it just might get a bit cluttered with all of this information. What do people feel about this ? I think a field with the size _and_ MD5 checksum on the same line would be helpful. We don't collect

Re: Package Verification

Bruce said, regarding Packages file info: I think a field with the size _and_ MD5 checksum on the same line would be helpful. We don't collect this information anywhere else, to my knowledge. The sum(1) checksum might also be useful. I know that sum(1) has been characterized here as totally

Re: Package Verification

I'd rather avoid the sum(1) checksum, because there are two implementations of sum(1), the BSD and SYSV, that output different checksums for the same data. Too many people will get confused when they see the wrong sum. Bruce  -- Bruce Perens [EMAIL PROTECTED] Pixar Animation Studios

Re: Package Verification

brian white writes (Package Verification ): I'd like to suggest another field to be automatically added to the Packages files that exist at the top of each hierarchy in the distribution. I'd like to see a Checksum: field that can be used to verify the correct download of these packages. I

Package Verification

I'd like to suggest another field to be automatically added to the Packages files that exist at the top of each hierarchy in the distribution. I'd like to see a Checksum: field that can be used to verify the correct download of these packages. I think including both an 'md5sum' and a (filesize)