Re: (inc. note from dpkg developers) Re: Bug#XXXXXX: (far too many packages) needs rebuilt for prelinking

To: Stephen Zander <gibreel@debian.org>
Cc: debian-devel@lists.debian.org
Subject: Re: (inc. note from dpkg developers) Re: Bug#XXXXXX: (far too many packages) needs rebuilt for prelinking
From: Daniel Jacobowitz <dan@debian.org>
Date: Mon, 20 Jan 2003 12:35:54 -0500
Message-id: <[🔎] 20030120173554.GA27640@nevyn.them.org>
Mail-followup-to: Stephen Zander <gibreel@debian.org>, debian-devel@lists.debian.org
In-reply-to: <[🔎] 87wul0g4bo.fsf@rabbit.fire-swamp.net>
References: <[🔎] 200301131352.IAA08938@bromo.msbb.uc.edu> <[🔎] Pine.LNX.4.33.0301130931400.2080-100000@gradall.private.brainfood.com> <[🔎] 20030113213104.GB17799@nevyn.them.org> <[🔎] 87wul0g4bo.fsf@rabbit.fire-swamp.net>

On Sun, Jan 19, 2003 at 02:30:51PM -0800, Stephen Zander wrote:
> >>>>> "Daniel" == Daniel Jacobowitz <dan@debian.org> writes:
>     Daniel> On Mon, Jan 13, 2003 at 09:42:01AM -0600, Adam Heath
>     Daniel> wrote:
>     >> And I certainly hope tripwire is *not* modified to support such
>     >> a broken as designed system.
>     >> 
>     >> (the reason this is broken, is because one must run an
>     >> untrusted binary to check if the file has been modified)
> 
>     Daniel> Oh, Adam, that's blatantly ridiculous.  Think about it.
>     Daniel> You take whatever you do to dpkg and libc6 and tripwire in
>     Daniel> order to trust them and do it with prelink also.  Then
>     Daniel> it's a trusted binary.
> 
> Tripwire doesn't rely on *any* outside objects, it's built static to
> explicitly avoid such issues so all you're left having to trust is the
> tripwire executable itself.
> 
> As for relying on file checksums, depnds what you mean by "checksum".
> If SHA-1 is a checksum, then tripwire is not for you.
> 
> -- 
> Stephen (tripwire maintainer)

Then you turn prelink into a library and statically link to it, or you
link it statically and store it with the tripwire binary; it is
literally no increased exposure to do that unless you're concerned
about not trusting the exec() call, in which case you're too paranoid
to be running on your current kernel.

This is all easily solvable.

-- 
Daniel Jacobowitz
MontaVista Software                         Debian GNU/Linux Developer

Reply to:

References:
- Re: Bug#XXXXXX: (far too many packages) needs rebuilt for prelinking
  - From: Jack Howarth <howarth@bromo.msbb.uc.edu>
- (inc. note from dpkg developers) Re: Bug#XXXXXX: (far too many packages) needs rebuilt for prelinking
  - From: Adam Heath <doogie@debian.org>
- Re: (inc. note from dpkg developers) Re: Bug#XXXXXX: (far too many packages) needs rebuilt for prelinking
  - From: Daniel Jacobowitz <dan@debian.org>
- Re: (inc. note from dpkg developers) Re: Bug#XXXXXX: (far too many packages) needs rebuilt for prelinking
  - From: Stephen Zander <gibreel@debian.org>

Prev by Date: Re: Bloat: XML, GUI design (was: Re: [OT] Gnome configuration (was: Re: Congrats! [gnome font rendering]))
Next by Date: Re: question regarding prelinking (was: (inc. note from dpkg developers) (was:Bug#XXXXXX: (far too many packages) needs rebuilt for prelinking))
Previous by thread: Re: (inc. note from dpkg developers) Re: Bug#XXXXXX: (far too many packages) needs rebuilt for prelinking
Next by thread: Re: (inc. note from dpkg developers) Re: Bug#XXXXXX: (far too many packages) needs rebuilt for prelinking
Index(es):
- Date
- Thread