verify rpm package contents

Tomasz Pala gotar at polanet.pl
Wed May 13 22:48:58 CEST 2009


On Wed, May 13, 2009 at 13:58:18 -0400, Jeff Johnson wrote:

> Repackaged files have no digest verification. The digest
> carried in repackaged packages is the original digest;
> but the file in the payload may have been modified or
> even deleted and not present in te repackaged package payload.

That are exactly the cases I'd like to catch.

During package development sometimes it's necessary to make some
modifications (or change entire file) in /usr tree for testing purposes.
When you forget about it and upgrade package these changes are lost.
Recently I've found old ltmain.sh file (this time causing problems) and
I can't recall replacing it. Now I'd like to review entire repackage
spool for modifications done before upgrade.

There would be differences in config files and missing languages for
sure, however other permissions, timestamps and modifications are worth
pointing out.

> You can work around by using a transaction "probe dependency".
> 
> E.g.
> 
>      mkdir -p /etc/rpm/sysinfo
>      md5sum /etc/passwd | sed -e 's/\([^ ]*\) *\(.*\)/digest(\2) =  
> \1/' >> /etc/rpm/sysinfo/Requirename
> 
> verifies the md5 of /etc/passwd every time rpm -Uvh is run.

Nice feature, too.

-- 
Tomasz Pala <gotar at pld-linux.org>


More information about the pld-devel-en mailing list