Re: dpkg verify mode for security?
On Thu, 15 May 1997, Chris Fearnley wrote:
> 'Amos Shapira wrote:'
> >
> >I was asking over Linux-ISP about doing cleanup after breakins and got
> >many "use tripwire" answers, and one which says that RPM has a verify
> >mode which checks for files which were changed since they were
> >installed. Can the dpkg maintainers consider adding such a feature
> >for Debian?
>
> What does the rpm verify give you? As far as I can tell it gives a
> false sense of security. Nothing more. The rpm database is easily
> hacked once root access is attained.
>
> Tripwire or something similar is the only viable option.
If the maintainers PGP-sign the verification data, they should be OK
(providing that you keep your PGP keyring on read-only media, like a
Debian CD-ROM). I'm presuming the best way to go is to have PGP-signed
md5sums. Another alternative is to keep a copy of the md5sums on read-only
media (CD-ROM springs to mind), and check against that.
--
Tom Lees <tom@lpsg.demon.co.uk> http://www.lpsg.demon.co.uk/
PGP ID 87D4D065, fingerprint 2A 66 86 9D 02 4D A6 1E B8 A2 17 9D 4F 9B 89 D6
finger tom@master.debian.org for full public key (also available on keyservers)
--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-request@lists.debian.org .
Trouble? e-mail to templin@bucknell.edu .
Reply to: