Re: md5sums (was Re: System integrity...)

To: debian-devel@lists.debian.org, Chris <masklin@debian.org>, Martin Bialasinski <martin@internet-treff.uni-koeln.de>
Cc: debian-devel@lists.debian.org
Subject: Re: md5sums (was Re: System integrity...)
From: Rene Mayrhofer <rmayr@vianova.at>
Date: Mon, 14 Jun 1999 10:41:32 +0000
Message-id: <[🔎] 99061410594000.02393@earth>
References: <[🔎] 19990614202859.A1180@ormond.unimelb.edu.au>

-----BEGIN PGP SIGNED MESSAGE-----

Am Mon, 14 Jun 1999 schrieb Chris:
> On Sun, Jun 13, 1999 at 03:46:42AM +0200, Martin Bialasinski wrote:
> <snip> 
> > CL> What is the criteria that determines which packages get .md5sums
> > CL> files stored in /var/lib/dpkg/info/ ??
> > 
> > The file is created during debian/rules binary by dh_md5sums or other
> > means.
> > 
> 
> Yes...but I wasn't sure if there was policy requirement for this or not(?).
> Or is it just "a good thing"(TM)?
Is it a policy requirement ? If it is not, we may discuss about adding it. I
know there were discussions concerning that but I think we should take the 
(very good) statements mentioned in the last days into account.

> Would it be difficult to extract the md5 information from a debian package
> to store in a seperate record on a debian server (similar to package info
> stored in the package lists)?  We could then enhance debsums to download and
> use these records (which would hopefully be free from corruption/error).
dpkg-deb --info <debian-pacakge-file> md5sums

How much work would it be to create scripts for creating these records and to
enhance debsums ?
  
> This would be particularily usefull for people who want to verify installations
> that have been "hacked" (similar to the way tripwire requires a database
> on read-only media).  Having .md5sums on the local system isn't overly usefull
> for this, as they could be as easily modified as any system binaries.
I am in desperate need of such a verification method, as I am developing a
Debian-based firewall. We could also simply store the md5sums on a local,
read-only media (a cd-rom, a floppy, ...). But then dpkg has to be changed so
that we can configure the location of all security-related files (or can this
be done now ?) .

Rene

--
------------------------------------------------------------------------------
Rene Mayrhofer, ViaNova KEG             NIC-HDL: RM1677-RIPE
Email: rmayr@vianova.at                 Snail: Penz 217, A-4441 Behamberg

PGP(DSS): E661 2E45 9B7F B239 D422  0A90 A4C2 DA09 F72F 6EC5
PGP(D/H): B77F 51A8 B046 87A6 4D61  2C5D 742F F433 6732 E4DC
PGP(RSA): 5D D4 FD A6 CE AF 4B 82  67 7F 59 89 58 CA 61 0D
GPG:      5E50 BDA0 E0B7 75A7 08AA  1123 0A4C 9474 CAA2 658B
------------------------------------------------------------------------------



-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
MessageID: uSEkxMCN89YH38dfc+O3vsL+JM90PFNf

iQEVAwUBN2TgnzUZOr/Z+6dLAQGmZAf/Zi8MoTtBhU3dSsmQZxKHeQhUDFGF7Jkf
tiZiYuaeOzeEdYx9fr98bpzCA9FRjHRXitvNMpjdxzQtgwGQz4XeaxPG1YxQY91p
r3DQmZJr7SM8MyxEFju8Zp/rZnyhqc+dbfKflYsLvzLepHsidsnX41X2QPBtFKQE
+GO9EOAV9uwyx8H6PZowTwnTa2GqT9ybTCW6wnXjWfLZp11v/AvhqzO0vzvRjCvc
ZvC6QMGpw9CSosFfjpquUGYBK2t8Y09l8fp63XBvTOmDV1vi/kAGxaQY2XMrHL3I
lJLPnNbkDYAXpuA+zqCPqpYohc5pKYzWDFT6RFpoy+OyCFszeVhSag==
=n32z
-----END PGP SIGNATURE-----

Reply to:

References:
- Re: md5sums (was Re: System integrity...)
  - From: Chris <masklin@debian.org>

Prev by Date: Re: KDE liscence question
Next by Date: Re: md5sums (was Re: System integrity...)
Previous by thread: Re: md5sums (was Re: System integrity...)
Next by thread: Re: md5sums (was Re: System integrity...)
Index(es):
- Date
- Thread