Re: debsums for maintainer scripts (was: Re: Revival of the signed debs discussion)

To: debian-devel@lists.debian.org
Subject: Re: debsums for maintainer scripts (was: Re: Revival of the signed debs discussion)
From: "Bernhard R. Link" <blink@informatik.uni-freiburg.de>
Date: Wed, 3 Dec 2003 12:39:48 +0100
Message-id: <[🔎] 20031203123947.A6099@ganymed.informatik.uni-freiburg.de>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 20031202153558.GA12920@wookimus.net>; from chewie@wookimus.net on Tue, Dec 02, 2003 at 09:35:58AM -0600
References: <[🔎] 8765h0mzk1.fsf@mrvn.homelinux.org> <[🔎] 3FCB50A2.90907@beamnet.de> <[🔎] 20031201161124.GA21059@complete.org> <[🔎] 20031201170828.GA17611@zombie.inka.de> <[🔎] 20031201201140.GC1952@wookimus.net> <[🔎] 20031202140123.A7688@ganymed.informatik.uni-freiburg.de> <[🔎] 20031202153558.GA12920@wookimus.net>

* Chad Walstrom <chewie@wookimus.net> [031202 18:14]:
> I'm not following your logic, if that's what you call it.  You're saying
> that checking the current filesystem on a daily basis is NOT a good way
> to verify filesystem integrity?

I say it won't give you an real advantage over checking the *.md5sums files.
(The only slight advantage is that it lists all file, but the disadvtage
 that you cannot verify your database).

> Update your system when you introduce a known change (a must).  Check it
> daily (a must).  What is incorrect about this policy?

It will only help you to catch intruders securely, if you your check
involves rebooting daily from a ro-media containing verified kernel and
checksum-utilities. Not to talk about, that a database update should at
least be done after booting from clear mendium without net-access and
checking that the changes are correct.

Otherwise it only catches intruders, hwo are to stupid to cope with system
installed. (Which is the same as with installed .md5sums files)


Hochachtungsvoll,
  Bernhard R. Link

-- 
Sendmail is like emacs: A nice operating system, but missing
an editor and a MTA.

Reply to:

References:
- Revival of the signed debs discussion
  - From: Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>
- Re: Revival of the signed debs discussion
  - From: Thomas Viehmann <tv@beamnet.de>
- Re: Revival of the signed debs discussion
  - From: John Goerzen <jgoerzen@complete.org>
- debsums for maintainer scripts (was: Re: Revival of the signed debs discussion)
  - From: Eduard Bloch <edi@gmx.de>
- Re: debsums for maintainer scripts (was: Re: Revival of the signed debs discussion)
  - From: Chad Walstrom <chewie@wookimus.net>
- Re: debsums for maintainer scripts (was: Re: Revival of the signed debs discussion)
  - From: "Bernhard R. Link" <blink@informatik.uni-freiburg.de>
- Re: debsums for maintainer scripts (was: Re: Revival of the signed debs discussion)
  - From: Chad Walstrom <chewie@wookimus.net>

Prev by Date: Re: configuring lilo on package installation
Next by Date: Bug#222450: ITP: audiolink -- makes managing and searching for music easier
Previous by thread: Re: debsums for maintainer scripts (was: Re: Revival of the signed debs discussion)
Next by thread: Re: debsums for maintainer scripts (was: Re: Revival of the signed debs discussion)
Index(es):
- Date
- Thread