Re: Contrasting BSIGN and TRIPWIRE
On Sun, 13 Dec 1998, Oscar Levi wrote:
> If there is support among Debian developers, I think we could use this
> to sign all of our executables, libraries, and kernel modules.
Unfortunately Manoj is not here to devlier a nice flame so I'll just
interject before this goes to far..
The big (fatal!) difference between tripwire and bsign is that tripwire
allows the hashes to be stored seperately from the file, preferably on a
read-only diskette. Without this capacity bsign is nothing more than a
fancy tool to protect against disk corruption.
Inserting signatures in our packages things is entirely useless from a
security perspective, in fact it is no better than 'debsums'. The key is
to have a detacted signature from a trusted source to have a local
signature signed by a single trusted source and a trusted source for that
sources public key. We cannot make adaquate assurances of any of those
with in-package signatures. [Hint: A single developers key is not
trusted.]
I'm not sure of the worth of Debian providing mechanisms to ensure than
installed programs do not suffer disk corruption. We already have multiple
levels of protection up to the moment the file is written to disk on the
target machine. After that I think we can safely leave it up to the local
admin (raid5 springs to mind)
Jason
Reply to: