[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: debsums for maintainer scripts

"Bernhard R. Link" <blink@informatik.uni-freiburg.de> writes:

> * Manoj Srivastava <srivasta@debian.org> [031203 20:12]:
> > 	Before we make such a push, we should at least ensure that it
> >  is something we really want to do. I think locally generated
> >  checksums are a better solution.
> 
> I don't think so. md5-calculation it not the fastest thing (especially
> on non-i386 it often feels like downloading and installing together
> needs less time than the md5sum-verification.
> So this should be switched off, but then it will be missing when one
> needs them.

The md5sum file should be generated at build time, signed and only the
signature kept. The signature is small enough not to cause bloat, it
can be included in the Package file or a Signatures.gz file containing
all signatures could be maintained in the archive.

When one needs to verify the md5sum files can be generated
(dpkg-repack and then generate them) and compared. Or the files can be
generated at install time and stored too. Intrusion detection systems
could use those files then since the signature preventstampering. It
would be the users choice.

> Not having some host-specific automatism makes it also much easier to
> verify them. A kernel together with some mount-md5sum-cruft-debsums
> utility may fit together with the md5sums of the .md5sums files on
> a floppy. If those files may look different, one may need to include
> those files as well. (And extracting them from some package pool is
> also more complicated).
> 
> Its also a warm feeling to run debsums to see the broken memory chip
> one just replaced with a working one has not caused any bit-changes
> in the installed files. If the checksums were created at the same
> system, one has to get them from somewhere else, so there is little
> sense in having them generated at all.

The signature of the locally generated ones wouldn't match the one in
the Packages or Signatures file. If the Packages/Signatures file has
been tampered with itself (passed through bad memory) one gets a few
false negatives but never (1:874584575... whatever the hash size is
there) a false positive.

MfG
        Goswin
Reply to: