How to detect patched versus bugged gpg binary

Karol Babioch karol at babioch.de
Tue Sep 6 09:17:41 CEST 2016


Hi,

Am 06.09.2016 um 06:43 schrieb Mike Ingle:
> or rely on calling dpkg to ask the version.

Yes, I'm afraid that is the only feasible way - at least to my knowledge.

You could also check some hashes. However dpkg (AFAIK) does not offer an
"--verify" option, so you have to do it for your own. Apparently some
checksums are also stored in /var/lib/dpkg/info/<package>.md5sums, but
probably not all. Furthermore there is a debsums package [1].

First of all you obviously need to browse the package sources and try to
find out which version(s) have a particular patch already applied.

Best regards,
Karol Babioch

[1]:
https://serverfault.com/questions/322518/can-dpkg-verify-files-from-an-installed-package

P.S.: My personal opinion: The whole Debian approach is a mess. Rather
than contributing upstream and trying to improve the code there, they
are making frankenstein builds that were never intended in this way by
the upstream projects. Nobody knows which patches they do and do not
backport and in general Debian packages are massively outdated.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20160906/b6be64b0/attachment.sig>


More information about the Gnupg-users mailing list