Re: How reliable is "debsums"?

To: debian-security@lists.debian.org
Subject: Re: How reliable is "debsums"?
From: Alexander Neumann <alexander@bumpern.de>
Date: Wed, 25 Sep 2002 11:41:06 +0200
Message-id: <[🔎] 20020925094105.GA3825@bumpern.de>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] 1032946312.27849.15.camel@justin>
References: <[🔎] 1032944955.647.7.camel@bobo> <[🔎] 1032946312.27849.15.camel@justin>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Justin Ryan wrote:
> Use both!  One advantage of debsums is that you can compare md5sums
> against a package, rather than just the system db.  If you fear that
> something may have been modified, you can download the .deb file and
> bypass anything that an attacker could modify.  Of course, the debsums
> binary could be modified to never report that anything has changed, but
> every little bit helps..

This isn't really reliable, because many important packages lack
md5sums. AFAIR it is optional to generate the md5sums in packages.

- - Alexander

- -- 
"fighting for peace is like fucking for virginity"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (GNU/Linux)

iD8DBQE9kYSxFBE43aPkXWYRAn+sAJ93CgkgTYxI/nLRAWfXLQvDt+dxywCfVEWb
04jukmfaQ7bey0kHGEnM3y4=
=y/CA
-----END PGP SIGNATURE-----

Reply to:

References:
- How reliable is "debsums"?
  - From: Kristian <kristian@hitech-sanita.it>
- Re: How reliable is "debsums"?
  - From: Justin Ryan <justin@gnubian.org>

Prev by Date: Re: How reliable is "debsums"?
Next by Date: Re: How reliable is "debsums"?
Previous by thread: Re: How reliable is "debsums"?
Next by thread: Re: How reliable is "debsums"?
Index(es):
- Date
- Thread