[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: debsums for maintainer scripts

On Thu, 4 Dec 2003 02:29:29 +0100, Javier Fernández-Sanguino Peña <jfs@computer.org> said: 

> On Wed, Dec 03, 2003 at 04:23:33AM -0600, Manoj Srivastava wrote:
>> On Mon, 1 Dec 2003 17:12:36 -0500, christophe barbe
>> <christophe@cattlegrid.net> said:
>> > I don't see why adding a md5dsum_are_mandatory clause to the
>> > debian policy would be difficult (what would be a good reason to
>> > not add md5sum to a package?).
>> Because it buys little security wise? Because there are solutions
>> one can put in place today that offer better coverage than in
>> package md5sums?

> First off, little security is better than no security.

	I can turn that around and say that a false sense of security
 is worse than a paranoid admin knowing there is no real security.

> Second, it's not only useful for security, it's useful for integrity
> checking (which is not always related). Third, other solutions
> (calculating md5sums on install, running tripwire/aide, etc.)  might
> be computational intensive and might need to be ruled out in some
> (critical) systems.

	How big a domain are we talking about? A mission critical
 system where it is not feasible to compute md5sums, nor maintain a
 cache of installed .debs, nor have access to a faster/non production
 system where md5sums can be calculated?

	Why are we basing our design on a small subset like this, and
 ignoring issue of archive bloat and bandwidth consumption that
 impacts an arguably larger set of people?

> Finally, there's one thing md5sums in packages can provide that no
> other solution proposed in this thread can: a database of known good
> signatures [1].

	Uhhh -- if this were indeed important, it is easy to generate
 such a list from a known good set of .debs.  Why exactly is
 publishing such a list usefule, and not mere make work?

> Many vendors [2] provide a full list of valid md5sums for their
> operating systems which enables investigators to determine if a file
> belongs to the system or it has been modified.

	If you want a list of such files, we have it now. If you want
 to do a security audit, the md5sum is useless.  An integrity check
 could perhaps use this, and most systems would be better off with 
       DPkg::Post-Invoke {
           "debsums --generate=nocheck -sp /var/cache/apt/archives";

> This is very useful in a forensic investigation since it enables a

	Bullshit. In a forensic investigation you can't trust on disk
 md5sums; and if you need to download the packages to verify the
 md5sum, you have a better check for integrity:
 # ar p  blah.deb data.tar.gz | tar zfd - | grep 'Contents differ'

> So my vote goes to adding md5sums to policy.

	We still don't vote on technical issues, thank god.

When in doubt, parenthesize.  At the very least it will let some poor
schmuck bounce on the % key in vi. --Larry Wall in the perl man page
Manoj Srivastava   <srivasta@debian.org>  <http://www.debian.org/%7Esrivasta/>
1024R/C7261095 print CB D9 F4 12 68 07 E4 05  CC 2D 27 12 1D F5 E8 6E
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C

Reply to: