Quoting Brian Lavender ([EMAIL PROTECTED]): > I thoguht maybe with a live CD, that you could verify against a deb > package repository.
Hmm, interesting problem. Let's think about it. The most obvious way would probably not be practical: The binary .debs you originally installed from were were in many cases shipped with the md5sum values of all included files. _If_ you were (hypothetically) able to trust /var/lib/dpkg/info/*.md5sums , then "debsums -ca" would check md5sum signatures against those files -- but those md5sum files cannot be trusted on a suspect system any more than /var/lib/rpm/* can on an RPM-based system.[1] _If_ you could rebuild an equivalent of /var/lib/dpkg/info/*.md5sums inside your live CD, working from repository info, then you could run "debsums -ca" against that. But the independent clause ("if...") of that conditional sounds problematic. ;-> If you had on trustworthy media, or could re-fetch, the .deb files from which you had built your system, you could try this on them, which Joey Hess said (a couple of years ago) that he keeps around as shell script "verifydeb": #!/bin/sh dpkg --fsys-tarfile $1 | tar -C / -d Anthony Towns's script apt-check-sigs is also worth looking through (though I've not looked at it in years: http://people.debian.org/~ajt/apt-check-sigs Apologies for not being able to give you a definitive answer, but I'm dead-tired, and hope the URL pointers are useful. [1] As this topic has come up more than a few times on various mailing lists, I have more on the subject here: "Package Signing" on http://linuxmafia.com/kb/Debian/ _______________________________________________ vox-tech mailing list vox-tech@lists.lugod.org http://lists.lugod.org/mailman/listinfo/vox-tech