On Mon, Jan 27, 2014, at 22:41, Elmar Stellnberger wrote:
> However locally stored
> checksums are not of use as they can
> be manipulated arbitrarily.
>
This shouldn't be a concern when using signed packages, correct? Or if
that's still a problem couldn't we just teach `pkg check` to confirm
si
A respective tool for Debian based distros has just been released
(http://www.elstel.org/debcheckroot).
It takes a somewhat simpler approach than its rpm-based counterpart and may
serve as a prove of concept.
The only thing that is required is a sha/md5sum list for each package (as
private keys
