[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Rooted? Could anything innocently alter the "i" flag?

On Tue, Mar 23, 2004 at 12:12:39PM +0000, Anthony Campbell wrote:
> On 23 Mar 2004, Brian Brazil wrote:
> > 
> 
> [snip] 
> 
> > I said md5sum for a reason. Even a checksum would be nice. See
> > RFC1680(?) - MD5, RFC1750 - Randomness recomendations for security.
> > Essentially date(touch) and file size(echo >>) are easy to modify.
> > With a one way hashing algorithm though its more difficult to get the
> > right answer with a bad file.
> 
> [snip] 
> 
> What is the best way to verify that the result of md5sum for a file is
> what it ought to be?

A lot of debian packages keep md5sums. See package debsums. Of course
you should also ensure that the .deb is digitally signed, in blood by the
maintainer who you personally meet every time you want to upgrade. Even
then you have to verify the machine code. Google for Ken Thompson's backdoor
in login/gcc(or whatever compiler it was back then).

Brian
Reply to: