Bug#223772: Antwort: Re: Bug#223772: general: no md5sums for many packages (e.g. bc)

To: werner.thoeni@arz.co.at
Cc: Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>, 223772@bugs.debian.org, matthias.hofer@arz.co.at
Subject: Bug#223772: Antwort: Re: Bug#223772: general: no md5sums for many packages (e.g. bc)
From: Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>
Date: 17 Dec 2003 19:33:11 +0100
Message-id: <[🔎] 87n09r5m6w.fsf@mrvn.homelinux.org>
Reply-to: Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>, 223772@bugs.debian.org
In-reply-to: <[🔎] OF07082747.EA941027-ONC1256DFF.005FAC72-C1256DFF.006095E5@arz.co.at>
References: <[🔎] OF07082747.EA941027-ONC1256DFF.005FAC72-C1256DFF.006095E5@arz.co.at>

werner.thoeni@arz.co.at writes:

> Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de> schrieb am
> 16.12.2003 19:15:43:
> now it is getting clearer. we are talking about different things.
> I'm talking about the md5sums files in the directory
> /var/lib/dpkg/info. You talk about the md5 sum of the whole package
> (MD5sum).  so what I like to say is, that for the debian package bc
> (and many others) there is no file /var/lib/dpkg/info/bc.md5sums in
> place. this file is checked and used by the tool debsums. that is
> the thing I'm claiming about.

I know. I'm talking about both.

> regards Werner
> > werner.thoeni@arz.co.at writes:
> >
> > > goswin,
> > > > werner.thoeni@arz.co.at writes:
> > > >
> > > > > Subject: general: no md5sums for many packages (e.g. bc)
> > > > > Package: general
> > > > > Version: N/A; reported 2003-12-12
> > > > > Severity: normal
> > > > > Tags: security
> > > >
> > > > Every package has a md5sum in the Package file.
> > > the answer is not correct. pls see as an example the package bc with
> version
> > > 1.06-8 or bzip2 version 1.0.2-1, ....
> >
> > Package: bc
> > Version: 1.06-12
> > MD5sum: 9e9945dd5b84b14658c179c2b04c7b89
> >
> > _EVERY_ deb has a md5sum in the Packages file.
> >
> > > > Some packages have a useless and space wasting md5sums file inside the
> > > > package. Due to its uselessness the existance is rather a bug than its
> > > > omission.
> > > i don't understand your comment above. why is the md5sums file useless and
> > > space wasting especially in terms of security? until now, I was of the
> > > opinion, that the md5sum gives me the guarantee that a debian package is
> not
> > > penetrated before installation and further - after having the packages
> > > installed on a machine - the md5sum files give me the confidence that the
> > > debian binaries are correct and consistent.
> >
> > Any attacker would surely change the md5sums file along with changing
> > the actual files. Nothing guards againt the md5sums file getting
> > changed intentionally or accidentally.
> >
> > Only the global md5sum in the Packages file says the file got not
> > changed since, well, since the Packages file was generated. Since
> > nothing checks the Release.gpg signature (wihtout apt-secure
> > installed) thats not much more secure either. But you can make sure
> > its not changed since ftp-master.debian.org generated the file.
> >
> > MfG
> >         Goswin

MfG
        Goswin

Reply to:

References:
- Bug#223772: Antwort: Re: Bug#223772: general: no md5sums for many packages (e.g. bc)
  - From: werner.thoeni@arz.co.at

Prev by Date: Re: [OT] Re: Changes in formal naming for NetBSD porting effort(s)
Next by Date: Bug#223772: Antwort: Re: Bug#223772: general: no md5sums for many packages (e.g. bc)
Previous by thread: Bug#223772: Antwort: Re: Bug#223772: general: no md5sums for many packages (e.g. bc)
Next by thread: Re: Bug#223772: general: no md5sums for many packages (e.g. bc)
Index(es):
- Date
- Thread