Am 25.11.19 um 17:52 schrieb Elmar Stellnberger:
Not using apt/dpkg comes at the expense of not being able to fully
verify the whole system. What if there are outdated packages on the
system which aren't available from anymore from repository? Using
snapshot.debian.org?
I have just extended debcheckroot to also support file repos. Now it
can check 100% of the packages I have installed. That was necessary
because f.i. the printer driver is vendor specific and can not be
fetched from an online repo. I will publish that as debcheckroot v2.2
soon. Outdated packages are a problem though; I have supposed that
Debian would maintain sha256sums for packages not available online any
more. However I do not see any good possibility to resolve this
without support from the distributors. However I am not sure whether
outdated updates would still be available on snapshot.debian.org; I
would not believe so, though perhaps anyone else reading this list
could help us. If it is not about updates but about singleton packages
one could download specific packages from snapshot by hand if you
really come across having installed such a package.
If debcheckroot can not find many packages that may point to an
intentionally altered package database and thus to a possible infection
of your system. I have seen many ways how to avoid scrutiny by
debcheckroot in the past and this may just be an easy way to achieve
this. Remember that with a freshly updated system + packages you
downloaded manually, 100% of all packages should be verifiable. I do
think of the theoretically constructed case that a package is still
installed that is no more available via the update repo as rather
improbable as normally the base version of all packages is available in
the base repo. If a newer version is available in the update repo the
update should have been installed as well.