On Tue, Oct 20, 2009 at 12:45 AM, Ralf Ertzinger <fedora@xxxxxxxxxxxxxx> wrote: > Hi. > > I was wondering the other day how much space the file information (i.e. the > stuff that rpm -V checks against) takes up in an RPM file. And, going from > there, how much space we would waste over the years if we kept this > information for every RPM ever built by koji. > > The idea would be to have a database of known good file information that is > separate from the local RPM database, so one may burn this information to > a bootable CD (or DVD) to be able to verify the integrity of the local > files (as long as the files came from a fedora built RPM file, that is). > Another possibility would be to load the information from the net, on > demand. > > How much data are we talking about, roughly? I have done this in the past for some items.. you need to measure several things. 1) What do you mean by good. In this case it is not that the program is secure, but that at one point or another it was built on a system. 2) What are you measuring. Matching a fingerprint between two files is not exactly enough data as you need to deal with accidental and intentional collisions. You can lower the chances of this by having more than one hash AND the size of the file. 3) How are you going to trust that data. The data is going to need to be stored somewhere and signed off with a key. You will then compare the two somehow. In the end, you are going to deal with a lot of data.. every time someone reformats a README (the 50+ GPL's at one point were around because someone had put in additional spaces or not) you are going to have a new set of hashes, some other data (permissions might be nice) and the signature of that line. In most cases, you can get that information from the original RPM compared to the system... if you have the RPM :). rpm -Vp <package_file_goes_here> > -- > fedora-devel-list mailing list > fedora-devel-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-devel-list > -- Stephen J Smoogen. Ah, but a man's reach should exceed his grasp. Or what's a heaven for? -- Robert Browning -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list