dpkg vs RPM
Thomas blogs about some issues he had with his N900's facebook plugin. This post isn't about that, as I don't use facebook.
But as part of his blog post, he mentions the following:
This reminded me of a pet peeve I have with those people who claim Debian’s packaging system to be far superior to rpm – apparently dpkg doesn’t have any equivalent of rpm -qv which allows you to verify that the files that should be installed by a package are indeed on disk
True, probably because the script would be so trivial:
for i in $(cat /var/lib/dpkg/info/nbd-client.list) do [ -f "$i" -o -d "$i" ] || echo "$i missing" done
There, that wasn't hard, was it?
Now I'm not sure whether rpm's -qv option actually checks the checksum of the files, too. If it does that, then the semantically similar way would be:
(cd / && md5sum -c var/lib/dpkg/info/nbd-client.md5sums)
... except that MD5 is totally and utterly useless these days, and that we should be changing to something else. And that md5sums is an optional feature, provided by some, but not all, packages. And it may also be that maemo packages don't have md5sums (which would make sense). But, anyway.
rpm -qv does very extensive checking, not just for file existence. It will check MD5 hashes, verify that dependencies are installed, check modes, ownership, and modify times, as well as SeLinux labels on systems where it is active.
You say that MD5 is "useless", and it's true that it is breakable by a committed attacker, but it's certainly vastly better than your proposed shell script that merely verifies file existence.
There are other areas where .deb is better.
My RPM manpage says that RPM's --verify mode checks the following metadata for each file in the archive: size, permissions, type, MD5, major/minor number (for devices), target (for symlinks), user, group, modification time. Unless somebody hacks the RPM database, it's pretty easy for RPM to discover that things have been tampered with.
I prefer dpkg in general, but RPM's --verify is quite nice.
Please do not advocate accessing /var/lib/dpkg/info/nbd-client.list, but rather use dpkg -L.
Also, debsums is what you need for your verification needs.
You don't even have to know the path where those md5sums are kept, just run: debsums -c nbd-client. Oh, and for those packages that lack md5sums, debsums can even calculate them upon installation.
... md5 is totally and utterly useless these days ...
It shouldn't be used to protect against attacks anymore, true, but md5 is still absolutely sufficient to detect files that were modified by disk or net corruption. The md5sums in the package database can't do more in any case since they're not themselves protected, so any attacker can just update the sums, too (or remove them.)
Wouter,
You'd be well served by researching what 'rpm -qV' actually does, which is more than a simple check for existence of files and directories, and md5sums. From the man page:
S file Size differs M Mode differs (includes permissions and file type) 5 MD5 sum differs D Device major/minor number mismatch L readLink(2) path mismatch U User ownership differs G Group ownership differs T mTime differs
As a random example here's the output from a machine in my care:
rpm -qV httpd
S.5....T c /etc/httpd/conf/httpd.conf S.5....T c /etc/logrotate.d/httpd ....L... /var/www/html
So that's a very easy way to see what's changed, in this case two config files and /var/www/html, which has become a symlink rather than a directory.
Because of it's ease of use RPM verify makes light work of checking integrity at a basic level for all packages after a suspected wide-level breakage, 'rpm -qaV'. I've had customers accidentally overwrite permissions from all files within /bin, for example, and rpm -qaV trivially shows me which ones need fixing.
Your "trivial" script is anything but that for 99% of Debian users as it relies on them knowing both where the .list files are and have scripting knowledge good enough to query it, whereas any interested beginner would be able to read the rpm manpage to find the verify command.
I may love Debian but RPM does have some things I miss when I come back home.
debsums help us to check md5sums of installed packages (at least such they use the feature):
whatis debsums
debsums (1) - check the MD5 sums of installed Debian packages
But your simple command line works well too