[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: debsums for maintainer scripts (was: Re: Revival of the signed debs discussion)

Chad Walstrom <chewie@wookimus.net> writes:

> On Tue, Dec 02, 2003 at 02:01:23PM +0100, Bernhard R. Link wrote:
> > > A true IDS is needed, such as aide, tripwire, or cfengine to detect
> > > post-installation intrusion.  Tie in aide or tripwire database
> > > checks/updates with the apt.conf "PostInst" option in addition to a
> > > daily cronjon to ensure the database is updated in a timely manner.
> > 
> > I think this is even more stupid than using *.md5sums. When they are
> > daily generated, you have no chance at all to be sure they are not
> > modified.
> I'm not following your logic, if that's what you call it.  You're saying
> that checking the current filesystem on a daily basis is NOT a good way
> to verify filesystem integrity?
> Update your system when you introduce a known change (a must).  Check it
> daily (a must).  What is incorrect about this policy?

I think he misunderstood you. He thought you would update the md5sums
daily via cron instead of checking the daily.


Reply to: