On 01-07-28 Marcus Brinkmann wrote:
> On Sat, Jul 28, 2001 at 04:33:29PM +0200, Wichert Akkerman wrote:
> > Previously Marcus Brinkmann wrote:
> > > Also, the checksums can be verified by lintian, the upload queue
> > > daemons, dinstall, mirrors, CD creators and all users
> > > individually, so they will get a thorough checking.
> >
> > But they do check checksums! They check the MD5 sum which
> > guaranteers the package is correct. We also have the internal gzip
> > checksums which will catch corrupted files.
>
> Yes. So why do we need more checksums again? The checksums generated
> by the systems are not usable for the purpose I have in mind
> (verifying the state of the system after an attack or corruption), if
Wait, if your system has been attacked, then you shouldn't just trust
the output of a tool that calculates md5sum for the installed binaries
and compare them to a list stored somewhere. The attacker could have for
example replaced this tool with his own version, which hides some
modification. Or he placed some other tools on your machine which you
won't notice and which you can't verify. In those cases only a tool like
tripwire, aide or integrit will help you. So if your system was
attacked, I would suggest removing the hard-disk from the system and
placing it in an other pc, creating a backup with dd and installing your
system from a scratch again.
> the files in the packages on the CD have the checksums precalculated,
> the verification is faster and easier to perform regularly.
And who gurantees you that the checksums on the CD are correct? Who
ensures that the CD has not been replaced with one, which contains
modified debs and therefor modified checksums, which match your system,
so that you don't see that someone modified some binaries?
Christian
--
Debian Developer (http://www.debian.org)
1024/26CC7853 31E6 A8CA 68FC 284F 7D16 63EC A9E6 67FF 26CC 7853
Attachment:
pgpwGw2d4B6GD.pgp
Description: PGP signature