Re: packages without .md5sums file?

To: debian-devel@lists.debian.org
Subject: Re: packages without .md5sums file?
From: Marcus Brinkmann <Marcus.Brinkmann@ruhr-uni-bochum.de>
Date: Sat, 28 Jul 2001 16:56:24 +0200
Message-id: <[🔎] 20010728165624.A2526@212.23.136.22>
In-reply-to: <[🔎] 20010728163329.B11977@wiggy.net>
References: <[🔎] 200107271053.f6RArHlc024626@dizzy.dz.net> <[🔎] 20010727130737.D30465@wiggy.net> <[🔎] 20010727204929.F702@212.23.136.22> <[🔎] 20010727210955.B2998@wiggy.net> <[🔎] 20010728011156.A105@212.23.136.22> <[🔎] 20010728124913.K23974@seteuid.getuid.de> <[🔎] 20010728152017.D1170@212.23.136.22> <[🔎] 20010728163329.B11977@wiggy.net>

On Sat, Jul 28, 2001 at 04:33:29PM +0200, Wichert Akkerman wrote:
> Previously Marcus Brinkmann wrote:
> > The point I am trying to make is, that self-generating the checksums
> > introduces a single point of failure, my system.
> 
> That system is a point of failure anyway since it could corrupt things
> when installing them or miscalculate the checksum of the installed file
> when you compare them.

Correct, this is why you should do the comparison after booting a
stable system from a trusted bootable cdrom, or plug out the hard disk and
do the comparison in a different, trusted and stable computer.

> > Also, the checksums can be verified by lintian, the upload queue daemons,
> > dinstall, mirrors, CD creators and all users individually, so they will get a
> > thorough checking.
> 
> But they do check checksums! They check the MD5 sum which guaranteers the
> package is correct. We also have the internal gzip checksums which will
> catch corrupted files.

Yes.  So why do we need more checksums again?  The checksums generated by
the systems are not usable for the purpose I have in mind (verifying the
state of the system after an attack or corruption), if they are modificable
during the normal operation of the system (because they could have been the
object of the same attack or corruption).  So I always have to do the
comparison against the files in the packages on the CD or on the net, which
is a slow operation. If the files in the packages on the CD have the checksums
precalculated, the verification is faster and easier to perform regularly.

But maybe we talk about different applications of the checksums.
The checksums I am thinking off could also be calculated at the CDROM
generation process and kept into a global file on the CDs.  Liekwise,
dinstall could calculate them and the ftp archive could have a global file.
This would not give them the same amount of verification as the process I suggested
earlier, but would effectively provide me with everything I need.

Thanks,
Marcus

-- 
`Rhubarb is no Egyptian god.' Debian http://www.debian.org brinkmd@debian.org
Marcus Brinkmann              GNU    http://www.gnu.org    marcus@gnu.org
Marcus.Brinkmann@ruhr-uni-bochum.de
http://www.marcus-brinkmann.de

Reply to:

Follow-Ups:
- Re: packages without .md5sums file?
  - From: Wichert Akkerman <wichert@wiggy.net>
- Re: packages without .md5sums file?
  - From: Christian Kurz <shorty@debian.org>

References:
- packages without .md5sums file?
  - From: Massimo Dal Zotto <dz@cs.unitn.it>
- Re: packages without .md5sums file?
  - From: Wichert Akkerman <wichert@wiggy.net>
- Re: packages without .md5sums file?
  - From: Marcus Brinkmann <Marcus.Brinkmann@ruhr-uni-bochum.de>
- Re: packages without .md5sums file?
  - From: Wichert Akkerman <wichert@wiggy.net>
- Re: packages without .md5sums file?
  - From: Marcus Brinkmann <Marcus.Brinkmann@ruhr-uni-bochum.de>
- Re: packages without .md5sums file?
  - From: Christian Kurz <shorty@debian.org>
- Re: packages without .md5sums file?
  - From: Marcus Brinkmann <Marcus.Brinkmann@ruhr-uni-bochum.de>
- Re: packages without .md5sums file?
  - From: Wichert Akkerman <wichert@wiggy.net>

Prev by Date: Re: Changing directory to symlink
Next by Date: Re: packages without .md5sums file?
Previous by thread: Re: packages without .md5sums file?
Next by thread: Re: packages without .md5sums file?
Index(es):
- Date
- Thread