On Mon, 30 Jul 2001, Manoj Srivastava wrote: > Not quite. This only requires processing _installed_ > packages. And yes, there is a rtadeoff; Disk space for the archives, > transfers, and CDs' vs processing when a system's integrity is under > suspicion. The latter ought to be a rarer event, and shall not > affect every user of Debian.
It seems to me the best solution is to just provide the SHA-1 hash of something like the .md5sum file in either the Packages file, or a close sibling of the Packages file. The dpkg can still optionally build .md5sum on the fly, which is the best way, and the integrity of the .md5sum's can be checked by *eveyone* quite quickly, and in a safe manner. Needing to have a cd around to check your install is rather lame. BTW, the md5sum file sucks, it should include a complete transcript of the tar information as well as hashes for normal files. It is also possible for the ftp archive to have those files appear, apt-ftparchive already does all the work and caching necessary to make that happen. Jason
