Re: debsums for maintainer scripts (was: Re: Revival of the signed debs discussion)
* Chad Walstrom <email@example.com> [031202 18:14]:
> I'm not following your logic, if that's what you call it. You're saying
> that checking the current filesystem on a daily basis is NOT a good way
> to verify filesystem integrity?
I say it won't give you an real advantage over checking the *.md5sums files.
(The only slight advantage is that it lists all file, but the disadvtage
that you cannot verify your database).
> Update your system when you introduce a known change (a must). Check it
> daily (a must). What is incorrect about this policy?
It will only help you to catch intruders securely, if you your check
involves rebooting daily from a ro-media containing verified kernel and
checksum-utilities. Not to talk about, that a database update should at
least be done after booting from clear mendium without net-access and
checking that the changes are correct.
Otherwise it only catches intruders, hwo are to stupid to cope with system
installed. (Which is the same as with installed .md5sums files)
Bernhard R. Link
Sendmail is like emacs: A nice operating system, but missing
an editor and a MTA.