[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Eternal 'good file hashes' list

On Tue, Oct 20, 2009 at 12:45 AM, Ralf Ertzinger <fedora camperquake de> wrote:
> Hi.
> I was wondering the other day how much space the file information (i.e. the
> stuff that rpm -V checks against) takes up in an RPM file. And, going from
> there, how much space we would waste over the years if we kept this
> information for every RPM ever built by koji.
> The idea would be to have a database of known good file information that is
> separate from the local RPM database, so one may burn this information to
> a bootable CD (or DVD) to be able to verify the integrity of the local
> files (as long as the files came from a fedora built RPM file, that is).
> Another possibility would be to load the information from the net, on
> demand.
> How much data are we talking about, roughly?

I have done this in the past for some items.. you need to measure
several things.

1) What do you mean by good. In this case it is not that the program
is secure, but that at one point or another it was built on a system.

2) What are you measuring. Matching a fingerprint between two files is
not exactly enough data as you need to deal with accidental and
intentional collisions. You can lower the chances of this by having
more than one hash AND the size of the file.

3) How are you going to trust that data. The data is going to need to
be stored somewhere and signed off with a key. You will then compare
the two somehow.

In the end, you are going to deal with a lot of data.. every time
someone reformats a README (the 50+ GPL's at one point were around
because someone had put in additional spaces or not) you are going to
have a new set of hashes, some other data (permissions might be nice)
and the signature of that line.

In most cases, you can get that information from the original RPM
compared to the system... if you have the RPM :).

rpm -Vp <package_file_goes_here>

> --
> fedora-devel-list mailing list
> fedora-devel-list redhat com
> https://www.redhat.com/mailman/listinfo/fedora-devel-list

Stephen J Smoogen.

Ah, but a man's reach should exceed his grasp. Or what's a heaven for?
-- Robert Browning

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]