We've Lied to You…

Not really; we just omitted a few details until you've had a chance to see rpm -V in action. Here are the details:

RPM Controls What Gets Verified

Depending on the type of file being verified, RPM will not verify every possible attribute. Here is a table showing the attributes checked for each of the different file types:

Table 6-2. Verification Versus File Types

File Type File Size Mode MD5 Checksum Major Number Minor Number Symlink String Owner Group Modification Time
Directory File - X - - - - X X -
Symbolic Links - X - - - X X X -
FIFO - X - - - - X X -
Devices - X - X X - X X -
Regular Files X X X - - - X X X

The Package Builder Can Also Control What Gets Verified

When a package builder creates a new package, they can control what attributes are to be verified on a file-by-file basis. The reasons for excluding specific attributes from verification can be quite involved, but here's an example just to give you the flavor:

When a person logs into a system, there are device files associated with that user's terminal session. In order for the terminal device (called tty) to function properly, the owner and group of the device must change to that of the person logging in. Therefore, if RPM were to verify the package that created the tty device files, any ttys that were in use at the time would fail to verify. However, by using the %verify [1] directive, a package builder can save you from trivial verification failures.

Notes

[1]

See the Section called The %verify Directive in Chapter 13 for details on %verify