[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: md5 package summaries on ftp server (was Re: System integrity)

On Fri, Jun 25, 1999 at 03:55:20PM +1000, Brian May wrote:
> In article <19990624042828.A9338@ormond.unimelb.edu.au> you write:
> >> 
> >> 2. I would also get the maintainer/uploader to sign the [md5sums] file using
> >> PGP/GPG...
> >
> >Ideally - yes.  Practically - no. 
> Why would it be impractical?
> Of course, something like this wouldn't occur overnight, but you could have
> every new package contain a signed md5sum file, say from now, possibly
> making some package higher priority then others (eg essential packages),
> and the packages that don't yet contain this new feature - well that is
> no worse off then it currently is now...

Thats my point - it would require large changes that can't happen overnight.
(Changes to dinstall, dpkg, apt, etc). And besides - this sort of checking can 
be done allready (to a degree).

An md5sum is generated from every .deb file, as packaged by the maintainer,
and stored in the .dsc file the is uploaded with every package.  The .dsc
file is signed by the maintainer.  So you can verify the integrity of a .deb
file, and hence an md5sums file can be generated from the contents of that
file and known to be valid.

> As I said before, signing the md5sums file has the advantage (IMHO),
> that you can securely check all non-config files on a system for any
> tampering. Of course somebody could tamper with your copy of PGP to
> produce false positives, but if that is really important, you can easily
> boot up from a known good floppy with a good copy of PGP, md5sum, and
> Debian signatures. In short - I think it would be worth it.
> Maybe this could be done as well as automatically signing the entire
> package by the FTP site when it is uploaded - the maintainers
> signature says - yes, noone has tampered with any files in/from this
> package since I uploaded it, and the debian signature says - yes,
> this is a valid Debian package.
> If this was to be used, I would suggest changing the debian signature
> with every release (eg potato) so that a particular package is
> "endorsed" to be valid for a particular release. Furthermore, if the
> private key for any early release gets comprimised, it doesn't have such
> a significant impact.

That could be an interesting idea.....I like the sound of it...


       As a computer, I find your faith in technology amusing.
Reply with subject 'request key' for PGP public key.  KeyID 0xA9E087D5

Reply to: