hello, I released a tool recently that I'd like to share with this list: https://github.com/kpcyrd/archlinux-userland-fs-cmp It's supposed to be used from a rescue image (any Linux) with an Arch install mounted to e.g. /mnt. It does the following: - Open /mnt/var/lib/pacman and extract the list of (allegedly) installed packages. - Instead of trusting the `mtree` files from the mounted file system, the %NAME% and %VERSION% values from the `desc` files are used to start a download stream from archive.archlinux.org. - From the download stream it's decompressing and inspecting the content on-the-fly, since the .MTREE file is near the beginning of the package we can abort the remaining package download after the mtree has been received (saving a lot of time and traffic). - All files in /mnt that are part of a package are hashed and compared with the sha256 hashes in the MTREE files downloaded from the archive. - Finally, it's printing a report of all files that either mismatched or are not a part of any package. This can be redirected to a file using the -o flag. At no point is any file from the mounted filesystem eval'd or otherwise executed. Parsers are written in a memory safe language. Although it's integrating with pacman, the integration with archive.archlinux.org makes this Arch Linux specific, files from AUR, Manjaro or SteamOS packages are all going to be flagged for manual inspection. The authenticity of the .MTREE files is assumed through the https connection they are downloaded from (which is supposed to be sufficient for the use-case it's built for). The release page on github has a pre-compiled, statically linked binary that can trivially be reproduced from source code. The dependency tree is documented in Cargo.lock, the build environment is documented in repro-env.lock. The binary has been tested to be working correctly on a Debian bookworm installer busybox rescue shell. There's a gif in the README showing how the tool looks like in action. --- I also printed reproducible builds stickers with a new and unique design that I'm planning to hand out at FOSDEM (along with some 37c3 leftovers), if you have read this far, feel free to ask me about stickers if you see me there. The print cost geht auf mein Nacken. cheers, kpcyrd