Re: packages without .md5sums file?

To: debian-devel@lists.debian.org
Subject: Re: packages without .md5sums file?
From: Marcus Brinkmann <Marcus.Brinkmann@ruhr-uni-bochum.de>
Date: Sat, 28 Jul 2001 15:20:17 +0200
Message-id: <[🔎] 20010728152017.D1170@212.23.136.22>
In-reply-to: <[🔎] 20010728124913.K23974@seteuid.getuid.de>
References: <[🔎] 200107271053.f6RArHlc024626@dizzy.dz.net> <[🔎] 20010727130737.D30465@wiggy.net> <[🔎] 20010727204929.F702@212.23.136.22> <[🔎] 20010727210955.B2998@wiggy.net> <[🔎] 20010728011156.A105@212.23.136.22> <[🔎] 20010728124913.K23974@seteuid.getuid.de>

On Sat, Jul 28, 2001 at 12:49:13PM +0200, Christian Kurz wrote:
> But, our packages are not only available burned on CD, but from lots of
> ftp servers, where they are located on a writable media, called hard
> disk. So, the packages can still be modified and a checksum changed so
> that you won't notice it. Also you forget that the package and the
> md5sum are generated on a system about which you have absolutely no
> information and can't make any assumption about it's security and if
> it's trustworthy or not. So, I find your argumentation above absolutely
> not legaly, as you are not looking at the whole problem. 

I am, in the bounds we can think about the problem in Debian.

The point I am trying to make is, that self-generating the checksums
introduces a single point of failure, my system.  If every maintainer
generates them themselve, some packages might have wrong checksums, but in
general this would not affect the checksums in other packages.  Also, the
checksums can be verified by lintian, the upload queue daemons, dinstall,
mirrors, CD creators and all users individually, so they will get a thorough
checking.  Compared to that, nothing will have verified my md5sums when I
created them.  I would have to compare them with multiple mirrors or CD ROM
sets myself, which is a lot of work.

BTW, mirrors are of little concern when the signatures are effective, as
those will verify the integrity of the checksums, as they come from the
maintainer or Debian.

For the maintainers/builders machine, the best we can hope for is that the
checksum matches the contained files.  There is *nothing* in our process
which makes sure that those files are sane, except for the maintainers
careful work to protect the packages he builts. If the maintainers build
machine is broken, we are out of luck anyway.  Beside the checksums, the
whole build might be broken (contain a trojan etc).  Providing wrong
checksums, which don't match the packages files, would only make the attacker
to reveal himself.

Have I made it more clear this time what the difference is?

Thanks,
Marcus

-- 
`Rhubarb is no Egyptian god.' Debian http://www.debian.org brinkmd@debian.org
Marcus Brinkmann              GNU    http://www.gnu.org    marcus@gnu.org
Marcus.Brinkmann@ruhr-uni-bochum.de
http://www.marcus-brinkmann.de

Reply to:

Follow-Ups:
- Re: packages without .md5sums file?
  - From: Wichert Akkerman <wichert@wiggy.net>
- Re: packages without .md5sums file?
  - From: Christian Kurz <shorty@debian.org>

References:
- packages without .md5sums file?
  - From: Massimo Dal Zotto <dz@cs.unitn.it>
- Re: packages without .md5sums file?
  - From: Wichert Akkerman <wichert@wiggy.net>
- Re: packages without .md5sums file?
  - From: Marcus Brinkmann <Marcus.Brinkmann@ruhr-uni-bochum.de>
- Re: packages without .md5sums file?
  - From: Wichert Akkerman <wichert@wiggy.net>
- Re: packages without .md5sums file?
  - From: Marcus Brinkmann <Marcus.Brinkmann@ruhr-uni-bochum.de>
- Re: packages without .md5sums file?
  - From: Christian Kurz <shorty@debian.org>

Prev by Date: Re: packages without .md5sums file?
Next by Date: Re: Base System release critical bug status II
Previous by thread: Re: packages without .md5sums file?
Next by thread: Re: packages without .md5sums file?
Index(es):
- Date
- Thread