On 01-07-28 Marcus Brinkmann wrote: > On Sat, Jul 28, 2001 at 04:33:29PM +0200, Wichert Akkerman wrote: > > Previously Marcus Brinkmann wrote: > > > Also, the checksums can be verified by lintian, the upload queue > > > daemons, dinstall, mirrors, CD creators and all users > > > individually, so they will get a thorough checking. > > > > But they do check checksums! They check the MD5 sum which > > guaranteers the package is correct. We also have the internal gzip > > checksums which will catch corrupted files. > > Yes. So why do we need more checksums again? The checksums generated > by the systems are not usable for the purpose I have in mind > (verifying the state of the system after an attack or corruption), if Wait, if your system has been attacked, then you shouldn't just trust the output of a tool that calculates md5sum for the installed binaries and compare them to a list stored somewhere. The attacker could have for example replaced this tool with his own version, which hides some modification. Or he placed some other tools on your machine which you won't notice and which you can't verify. In those cases only a tool like tripwire, aide or integrit will help you. So if your system was attacked, I would suggest removing the hard-disk from the system and placing it in an other pc, creating a backup with dd and installing your system from a scratch again. > the files in the packages on the CD have the checksums precalculated, > the verification is faster and easier to perform regularly. And who gurantees you that the checksums on the CD are correct? Who ensures that the CD has not been replaced with one, which contains modified debs and therefor modified checksums, which match your system, so that you don't see that someone modified some binaries? Christian -- Debian Developer (http://www.debian.org) 1024/26CC7853 31E6 A8CA 68FC 284F 7D16 63EC A9E6 67FF 26CC 7853
Attachment:
pgpwGw2d4B6GD.pgp
Description: PGP signature