[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: dpkg verify mode for security?

On Thu, 15 May 1997, Chris Fearnley wrote:

> 'Amos Shapira wrote:'
> >
> >I was asking over Linux-ISP about doing cleanup after breakins and got
> >many "use tripwire" answers, and one which says that RPM has a verify
> >mode which checks for files which were changed since they were
> >installed.  Can the dpkg maintainers consider adding such a feature
> >for Debian?
> What does the rpm verify give you?  As far as I can tell it gives a
> false sense of security.  Nothing more.  The rpm database is easily
> hacked once root access is attained.
> Tripwire or something similar is the only viable option.

If the maintainers PGP-sign the verification data, they should be OK
(providing that you keep your PGP keyring on read-only media, like a
Debian CD-ROM). I'm presuming the best way to go is to have PGP-signed
md5sums. Another alternative is to keep a copy of the md5sums on read-only
media (CD-ROM springs to mind), and check against that.

Tom Lees <tom@lpsg.demon.co.uk>			http://www.lpsg.demon.co.uk/
PGP ID 87D4D065, fingerprint 2A 66 86 9D 02 4D A6 1E  B8 A2 17 9D 4F 9B 89 D6
finger tom@master.debian.org for full public key (also available on keyservers)

TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .

Reply to: