Florian Kulzer <[EMAIL PROTECTED]> writes: > On Sat, Oct 06, 2007 at 20:02:43 -0700, Carl Johnson wrote: > > Florian Kulzer writes: > > [...] > > [ We are discussing about verifying the content of Debian DVDs. ] > > > > First you need to download the files which list these checksums: > > > > > > wget > > > http://cdimage.debian.org/debian-cd/4.0_r1/i386/iso-dvd/MD5SUMS{,.sign} > > > wget > > > http://cdimage.debian.org/debian-cd/4.0_r1/i386/iso-dvd/SHA1SUMS{,.sign} > > > > I didn't notice until after I downloaded them that they are i386, but > > I have amd64, but it was easy enough to find the amd64 ones. Then I > > noticed that they are 4.0_r1 and I just have the original 4.0. That > > is where I struck out and was unable to find any other than r1. > > Googling for "debian-40r0-amd64-DVD-1.iso" finds a few places that list > the checksums for 4.0r0, for example: > > http://www.mail-archive.com/[EMAIL PROTECTED]/msg16901.html > > You can compare your md5/sha1sums with the ones listed there. That is > nowhere near as good as having a signed file, but it is better than > nothing.
I tried verifying against those, but my mine don't compare, so I don't know what is happening. > > I ended up doing this anyways, since they are official DVDs from a > > vendor listed at debian.org. > > It does not hurt to check against the checksums on the web. One of the > DVDs might have been produced incorrectly or might have been damaged > since. (Most physical damage would probably have shown up already as a > read error when you ran md5/sha1sum, though.) Right, that's what I figure also. > > I was going to file a bug about the > > Release.gpg not being present, until I suddenly realized that they > > can't put them on the ISO image without changing the checksum. > > This is a minor point, but let me clarify: The "Release.gpg" file only > vouches for the content of the "Release" file and nothing else. The > Release file has the checksums for the "Packages", "Packages.gz", and > "Packages.bz2" files, which in turn list the checksums for the > individual .deb packages. You can look at all these files, they are just > (compressed) ASCII text. > > Therefore it would be possible to put Release.gpg files on the CDs and > DVDs. Maybe this is not done because the security implications are > different for physical media than they are for repeatedly downloading > packages from the net. Thanks for the clarification. I had completely missed that. I will file a wishlist bug on debian-installer. I don't know if that is the right place, but if not they should notify me where it should be sent. Thanks again for all of your help. -- Carl Johnson [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
