Hi,

There have been multiple kernel updates since Ubuntu Hardy was released... 2.6.24-16 to 2.6.24-19.

Can someone please explain why debsums lists many modules as "FAILED" ?
> debsums | grep -v OK

/lib/modules/2.6.24-16-generic/modules.pcimap FAILED
/lib/modules/2.6.24-16-generic/modules.dep FAILED
/lib/modules/2.6.24-16-generic/modules.ieee1394map FAILED
/lib/modules/2.6.24-16-generic/modules.usbmap FAILED
/lib/modules/2.6.24-16-generic/modules.isapnpmap FAILED
/lib/modules/2.6.24-16-generic/modules.inputmap FAILED
/lib/modules/2.6.24-16-generic/modules.seriomap FAILED
/lib/modules/2.6.24-16-generic/modules.alias FAILED
/lib/modules/2.6.24-16-generic/modules.symbols FAILED
/lib/modules/2.6.24-18-generic/modules.pcimap FAILED
/lib/modules/2.6.24-18-generic/modules.dep FAILED
/lib/modules/2.6.24-18-generic/modules.ieee1394map FAILED
/lib/modules/2.6.24-18-generic/modules.usbmap FAILED
/lib/modules/2.6.24-18-generic/modules.isapnpmap FAILED
/lib/modules/2.6.24-18-generic/modules.inputmap FAILED
/lib/modules/2.6.24-18-generic/modules.seriomap FAILED
/lib/modules/2.6.24-18-generic/modules.alias FAILED
/lib/modules/2.6.24-18-generic/modules.symbols FAILED
/lib/modules/2.6.24-19-generic/modules.pcimap FAILED
/lib/modules/2.6.24-19-generic/modules.dep FAILED
/lib/modules/2.6.24-19-generic/modules.ieee1394map FAILED
/lib/modules/2.6.24-19-generic/modules.usbmap FAILED
/lib/modules/2.6.24-19-generic/modules.isapnpmap FAILED
/lib/modules/2.6.24-19-generic/modules.inputmap FAILED
/lib/modules/2.6.24-19-generic/modules.seriomap FAILED
/lib/modules/2.6.24-19-generic/modules.alias FAILED
/lib/modules/2.6.24-19-generic/modules.symbols FAILED

Also,

> debsums | grep -v OK

returns a lot of missing md5 checks, shouldn't these files
have md5 sums as well ? ...

debsums: no md5sums for at
debsums: no md5sums for base-files
debsums: no md5sums for binutils
debsums: no md5sums for binutils-static
debsums: no md5sums for bogofilter
debsums: no md5sums for bzip2
debsums: no md5sums for dosfstools
debsums: no md5sums for ed
debsums: no md5sums for gnupg
debsums: no md5sums for gpgv
debsums: no md5sums for initscripts
debsums: no md5sums for klogd
debsums: no md5sums for libbz2-1.0
debsums: no md5sums for libgdbm3
debsums: no md5sums for libncurses5
debsums: no md5sums for libncursesw5
debsums: no md5sums for mawk
debsums: no md5sums for mime-support
debsums: no md5sums for module-init-tools
debsums: no md5sums for ncurses-base
debsums: no md5sums for ncurses-bin
debsums: no md5sums for netbase
debsums: no md5sums for rsync
debsums: no md5sums for startup-tasks
debsums: no md5sums for strace
debsums: no md5sums for sysklogd
debsums: no md5sums for sysv-rc
debsums: no md5sums for sysvutils
debsums: no md5sums for ubuntu-keyring
debsums: no md5sums for update-inetd
debsums: no md5sums for whois
debsums: no md5sums for xbase-clients
debsums: no md5sums for xorg
debsums: no md5sums for xserver-xorg
debsums: no md5sums for xserver-xorg-input-all
debsums: no md5sums for xserver-xorg-video-all
debsums: no md5sums for xutils

Thank you.

I'm not particularly well-versed in Debian policy (since that's upstream for .*buntu), but apparently there are a few reasons: Debian packages being built with a buildsystem that doesn't use the dh_sums thingie, Debain packagers deliberately keeping packages from getting checksummed and Debian policy only slowly changing: it just isn't mandatory but considered "best practice" (2007). You can generate them yourself by creating /etc/apt/apt.conf.d/90debsums:
(best before installing packages: your distro docs should have told you).

Package MD5s are of limited value, but yours isn't the only distro that sticks to supplying only that kind of checksums. The only thing they can "verify" is the integrity of the package itself not its contents. So that's another good reason for installing a file integrity checker (Aide, Samhain, Osiris or even tripwire) right after you install your OS (later on doesn't make much sense). Plus package MD5s should be superseded by GPG sigs anyway.

OK.

How can one verify 'any' debian package downloaded from the supported repositories ?

Is there a list of md5 sums somewhere ?

For example,

Where would I get the md5 to verify the package against an md5 online after download, not the one included in the release?

Thank you.

As far as I know all packages checksums themselves should be listed in the repo's "Packages.gz" and the package management application should check sums on download to see if its not corrupted. One trick I read is that once you got the package installed 'dpkg --fsys-tarfile [packagename] | tar -C / -d' could work. Else, if you have sources on untaintable media like CDROM, you could script something to unpack and compare against that. Maybe somebody else knows more.

Thank you for the pointers.

Is there is an md5 for the actual packages.gz ?

It looks like a nightmare to custom parse the md5 or sha values
out of the packages.gz into anything usable for a md5sum check.

It would be nice to verify a .deb package already downloaded against an online md5 without installing the package.

IIRC not a hash but a GPG sig.


You can easily get the package names and sums with 'zgrep -e "(^File|^MD5)" Packages.gz' to start with. still it's a *packages* hash and not of its contents.


The http://www.debian.org/doc/manuals/se...to/ch7.es.html tells you how to verify things the Debian way better than I can. If you have problems with Spanish you can complain to Debian for fscking up their site or find a mirror that has the securing-debian-howto/ch7.en.html or download the harden-doc package and check /usr/share/doc/harden-doc/html/securing-debian-howto/ch7.en.html.

Hi,

Debsums does check the MD5 hash of files provided by deb packages.

The module.* files are generated by depmod, and so do not match the MD5 hash provided by the initial packaged versions.

Some packages do not supply MD5 hashes, one solution would be..

In summary, goto the cached packages folder, clear it, download package files for packages without MD5 hashes, use those files to generate missing MD5 hashes, verify installed packages.

Hope that is helpful!

zer0x