FS#67610 - Save file hashes in packages and the local database

Attached to Project: Pacman
Opened by Dragoon Aethis (DragoonAethis) - Sunday, 16 August 2020, 20:01 GMT
Last edited by Andrew Gregory (andrewgregory) - Saturday, 22 August 2020, 02:33 GMT
Task Type Feature Request
Category Backend/Core
Status Closed
Assigned To No-one
Architecture All
Severity Very Low
Priority Normal
Reported Version 5.2.1
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Currently, the local database contains the desc file (mostly/the same as in the synced databases) and a list of files + mtree of a given package. It'd be nice to also include hashes of each file provided by those packages. This would enable users to verify if the files on disk are consistent with the original package content and to find all changes compared to a fresh system with the same installed package list. (It's not a security improvement though, as any potentially malicious program that could overwrite root-owned package files can also overwrite hashes in the local database.)
This task depends upon

Closed by  Andrew Gregory (andrewgregory)
Saturday, 22 August 2020, 02:33 GMT
Reason for closing:  None
Comment by Eli Schwartz (eschwartz) - Sunday, 16 August 2020, 20:05 GMT
We do this already, that's what the mtree file is.
Comment by Dragoon Aethis (DragoonAethis) - Sunday, 16 August 2020, 20:23 GMT
Ah, okay, sorry, I thought it's only for permissions, update times and sizes as the manpage suggests. Apologies for the spam, this can be closed.
Comment by Eli Schwartz (eschwartz) - Sunday, 16 August 2020, 20:29 GMT
pacman -Qkk doesn't check hashes, but that doesn't mean the information isn't there, or that other libalpm ecosystem programs can't check them.

pacman -S pacutils && paccheck --md5sum --sha256sum [<package-to-check> ...]

Loading...