You are not logged in.

#51 2011-03-18 09:31:42

toad
Member
From: if only I knew
Registered: 2008-12-22
Posts: 1,775
Website

Re: paccheck - pacman package authenticity check

IG banned? What has he done now????

Oh, package signing again... Shame that differences in opinion lead to people getting banned - seems very childish.

But on topic again:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
THE FOLLOWING PACKAGES IN PACMAN'S PKG CACHE ARE THE WRONG SIZE - this
indicates they are corrupt, or they or the database has been tampered
with:

    archlinuxfr/lsb-release-1.4-10  (cache 6204 != db 6200)
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

All OK.

System update is NOT recommended until the above issues are addressed.

Anybody else getting this?


never trust a toad...
::Grateful ArchDonor::
::Grateful Wikipedia Donor::

Offline

#52 2011-03-18 11:24:00

pablokal
Member
From: Nijmegen, Holland
Registered: 2010-03-07
Posts: 96
Website

Re: paccheck - pacman package authenticity check

If you got this after using paccheck this must an effective warning!
I would take the recommendation serious.
You could post your question again on the  Arch section of LinuxQuestions  as IG will be probably find your question there: http://www.linuxquestions.org/questions/arch-29/
On his blog IG writes he is blocked and not able to visit this site any more.


GNu/Linux: Nu nog schoner: http://linuxnogschoner.blogspot.com/

Offline

#53 2011-03-18 11:43:18

toad
Member
From: if only I knew
Registered: 2008-12-22
Posts: 1,775
Website

Re: paccheck - pacman package authenticity check

Thanks pablokal smile Yes, I got it after running paccheck.

IG wrote a reply on the package signing thread and tread on some peoples' toes, ergo banned. I doubt he is interested in Arch any more as a result. Big shame.

I just wondered whether anybody else got this message...


never trust a toad...
::Grateful ArchDonor::
::Grateful Wikipedia Donor::

Offline

#54 2011-03-18 12:27:08

falconindy
Developer
From: New York, USA
Registered: 2009-10-22
Posts: 4,111
Website

Re: paccheck - pacman package authenticity check

You're comparing a package from a third party repo against the official mirrors. A difference in the compiler used could lead to a difference in package size. This is a false positive.

Offline

#55 2011-03-18 12:34:05

toad
Member
From: if only I knew
Registered: 2008-12-22
Posts: 1,775
Website

Re: paccheck - pacman package authenticity check

Thanks, falconindy.

Odd, I've done the same on my laptop (also 64 bit) and didn't get the warning and try as I may, I cannot get my head round the reason for this difference. Granted, the mirrors are different, but I still don't get it.


never trust a toad...
::Grateful ArchDonor::
::Grateful Wikipedia Donor::

Offline

#56 2011-03-18 12:37:07

falconindy
Developer
From: New York, USA
Registered: 2009-10-22
Posts: 4,111
Website

Re: paccheck - pacman package authenticity check

archlinuxfr is a third party repo which builds their own packages. Official mirrors just sync from a tier above them. They choose to recompile packages from core/extra/community rather than sync for reasons I'm unaware of.

Last edited by falconindy (2011-03-18 12:39:06)

Offline

#57 2011-03-26 02:35:03

Gumper
Member
From: U.S.A.
Registered: 2009-10-26
Posts: 132

Re: paccheck - pacman package authenticity check

Does anyone know if paccheck will continue to function properly with pacman 3.5?


Ready yourselves, ready yourselves
Let us shine the light of Jesus in the darkest night
Ready yourselves, ready yourselves
May the powers of darkness tremble as our praises rise .... Casting Crowns-Until The Whole World Hears.

Offline

#58 2011-03-26 02:53:58

Allan
Pacman
From: Brisbane, AU
Registered: 2007-06-09
Posts: 11,472
Website

Re: paccheck - pacman package authenticity check

Looks like it uses "repo.db.tar.gz" and not "repo.db" so it probably will not work with pacman-3.5.

Offline

#59 2011-03-26 03:48:55

Korrode
Member
From: Australia
Registered: 2009-11-02
Posts: 110

Re: paccheck - pacman package authenticity check

It's really too bad IG got banned hmm he's also the guy who makes the pcmanfm-mod I use...


xfce | compiz | gmrun | urxvt | chromium | geany | aqualung | vlc | geeqie

Offline

#60 2011-03-26 03:50:47

Gumper
Member
From: U.S.A.
Registered: 2009-10-26
Posts: 132

Re: paccheck - pacman package authenticity check

Allan wrote:

Looks like it uses "repo.db.tar.gz" and not "repo.db" so it probably will not work with pacman-3.5.

Thanks Allan.


Ready yourselves, ready yourselves
Let us shine the light of Jesus in the darkest night
Ready yourselves, ready yourselves
May the powers of darkness tremble as our praises rise .... Casting Crowns-Until The Whole World Hears.

Offline

#61 2011-03-26 07:16:50

mundane
Banned
Registered: 2011-03-23
Posts: 49

Re: paccheck - pacman package authenticity check

Gumper wrote:
Allan wrote:

Looks like it uses "repo.db.tar.gz" and not "repo.db" so it probably will not work with pacman-3.5.

Thanks Allan.

Bad design from IG.

repo.db has been a symlink to repo.db.tar.gz for a long time. repo.db is meant to be used in case the compression format gets changed, such as for pacman 3.5 wink

Offline

#62 2011-03-26 22:16:04

berbae
Member
From: France
Registered: 2007-02-12
Posts: 1,304

Re: paccheck - pacman package authenticity check

I wrote an update to paccheck for it to work with pacman 3.5.1
I contacted IgnorantGuru to submit it to him and to ask if he intends to continue with that script and the paccheck package in AUR.

Last edited by berbae (2011-03-27 09:55:42)

Offline

#63 2011-03-27 15:00:17

berbae
Member
From: France
Registered: 2007-02-12
Posts: 1,304

Re: paccheck - pacman package authenticity check

An updated version is now available compatible with pacman >3.5 :
http://aur.archlinux.org/packages.php?ID=46763

It's recommended to use 3 or 4 different mirrors from diverse locations, and at least one for the full compare option.

The script can help to detect compromised mirrors for some hacking scenarios, but it doesn't guaranty a total security for more complex, though improbable, ones.

Offline

#64 2011-03-27 15:55:21

berbae
Member
From: France
Registered: 2007-02-12
Posts: 1,304

Re: paccheck - pacman package authenticity check

I updated the package to 0.8.13-2 because I forgot to include the mirrorlist example file.
Sorry.

Offline

#65 2011-03-27 20:35:13

berbae
Member
From: France
Registered: 2007-02-12
Posts: 1,304

Re: paccheck - pacman package authenticity check

The source origin is now corrected in 0.8.13-3 release.
I am sorry for the annoyance it caused before that.

I want to add that I appreciate the Arch Linux distribution, it is my preferred one.
I thanks all the devs for their good work and particularly Allan for the much welcome improvements in the pacman 3.5.1 release and
the advancement of package signing, which is not an easy task and also not a so pleasant one, I concede.

So thank you very much to all of you, guys!

I like working with Arch Linux.

Offline

#66 2011-03-30 10:11:23

milomouse
Member
Registered: 2009-03-24
Posts: 940
Website

Re: paccheck - pacman package authenticity check

As a site note; in the `paccheck' source it checks for user's DBPath and if it's not set it will assign to /var/lib/pacman/sync but of course pacman default is /var/lib/pacman, so if you're going to check for user's DBPath you may want to append /sync to $dbpath if it's discovered to be set, otherwise it will attempt to check repo lists without /sync appended and fail.

Offline

#67 2011-03-30 15:12:22

berbae
Member
From: France
Registered: 2007-02-12
Posts: 1,304

Re: paccheck - pacman package authenticity check

milomouse wrote:

but of course pacman default is /var/lib/pacman

That was the default before pacman 3.5, now the sync database tar files are put directly in /var/lib/pacman/sync and without the .tar.gz extension :

[berbae@arch64 ~]$ ll /var/lib/pacman
total 40
drwxr-xr-x 669 root root 36864 29 mars  23:45 local
drwxr-xr-x   2 root root  4096 30 mars  15:45 sync
[berbae@arch64 ~]$ ll /var/lib/pacman/sync
total 948
-rw-r--r-- 1 root root 442384 29 mars  21:04 community.db
-rw-r--r-- 1 root root  38276 29 mars  18:41 core.db
-rw-r--r-- 1 root root 472426 29 mars  15:39 extra.db

So there are no DB files in /var/lib/pacman anymore.
That's why I changed the default value of the dbpath variable in the script to '/var/lib/pacman/sync'.

So when using the DBPath variable in /etc/pacman.conf, the user has to write the complete path to where the database files are.
That's logical that the DBPath variable should contain exactly the place where the DB tar files are (not a parent directory).

But thanks for your post.

Edit : the infos here are wrong, see following posts. Sorry for that.

Last edited by berbae (2011-03-30 22:49:54)

Offline

#68 2011-03-30 16:18:30

milomouse
Member
Registered: 2009-03-24
Posts: 940
Website

Re: paccheck - pacman package authenticity check

That's weird.  I guess pacman appends /sync to my DBPath then?  Because mine is /var/cache/packages/database  not  /var/cache/packages/database/sync so I guess pacman is doing it for me because the *db's are in $DBPath/sync.  I'll mess around with this-- sorry for the static.

Edit: What made me think this is because original 3.5 pacman.conf shows commented DBPath = /var/lib/pacman/

Last edited by milomouse (2011-03-30 16:25:58)

Offline

#69 2011-03-30 22:12:44

Allan
Pacman
From: Brisbane, AU
Registered: 2007-06-09
Posts: 11,472
Website

Re: paccheck - pacman package authenticity check

berbae wrote:

So when using the DBPath variable in /etc/pacman.conf, the user has to write the complete path to where the database files are.
That's logical that the DBPath variable should contain exactly the place where the DB tar files are (not a parent directory).

No...   DBPath=/var/lib/pacman is correct.  If reading the DBPath from pacman.conf, you will need to add sync to the end of it.

Offline

#70 2011-03-30 22:28:39

berbae
Member
From: France
Registered: 2007-02-12
Posts: 1,304

Re: paccheck - pacman package authenticity check

milomouse wrote:

so I guess pacman is doing it for me because the *db's are in $DBPath/sync.

I verified and I saw that you are right, so I was wrong to change the default dbpath variable in the script.

I corrected that in the paccheck 0.8.14 version.

Thank you for your contribution.

Edit: Thank you Allan, I saw your post after I made the correction, but you confirm what milomouse signaled to me.

Last edited by berbae (2011-03-30 22:45:44)

Offline

#71 2011-03-31 12:17:33

milomouse
Member
Registered: 2009-03-24
Posts: 940
Website

Re: paccheck - pacman package authenticity check

No worries, and thanks for maintaining the script. :}

Offline

Board footer

Powered by FluxBB