On Wed, Jun 15, 2005 at 01:10:57PM -0700, Russ Allbery wrote: > Ian Campbell <ijc@hellion.org.uk> writes: > > I might be talking out of my arse (99% probability ;-)) but I thought > > I'd heard that it was possible to store the pre-linking information > > separately to the binaries, under /var/cache or something for example. > > Am/was I imagining things? > One of the points of the md5sum verification is to ensure that the > binaries haven't been tampered with. If one can tamper with the binaries > by modifying some file in /var/cache instead, doesn't that just > reintroduce the same problem? There are two basic reasons why people want md5sums of their binaries: to know when their filesystem is eating files, and as an extra layer of security to tell them their binaries have been modified by an intruder. In the first instance, removing the cache and regenerating it would be sufficient to eliminate any corrupted files; in the second instance, removing the cache and regenerating it would be sufficient to eliminate any trojaned files (though, what a strange attack vector that would be :). -- Steve Langasek postmodern programmer
Attachment:
signature.asc
Description: Digital signature