But doesn't Package.gz contain the md5sum of all the .debs under the directory it's in? I see a line in Package.gz (after decompressing) that reads something like:
MD5sum: 7513d28d6ddde80706727944e9732c2c Doesn't apt-get check this line before installing stuff? On Wed, 08 Nov 2000, Bruce Richardson wrote: > On Tue, Nov 07, 2000 at 02:22:29AM +0000, John Carline wrote: > > However, I'm not above accepting all the help I can find. Can > > someone verify the statement below? Or better yet, is the > > statement wrong? Is there a way to verify the integrity of the > > downloaded debs? > > dpkg -p debian-keyring > man dscverify > > Also Packages.gz can and should be signed. > > Unfortunately, while source packages can be checked quite easily, they > are not always verifiable. There is no simple mechanism for verifying > debs *at all*. Nor even Packages.gz - and the integrity of Packages.gz > isn't actually a guarantee of the integrity of any of the packages. > > So there is a hole here. > > -- > Bruce > > Remember you're a Womble. > > > -- > Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] < /dev/null