Re: debsums for maintainer scripts
On Thu, 4 Dec 2003 02:29:29 +0100, Javier Fernández-Sanguino Peña <jfs@computer.org> said:
> On Wed, Dec 03, 2003 at 04:23:33AM -0600, Manoj Srivastava wrote:
>> On Mon, 1 Dec 2003 17:12:36 -0500, christophe barbe
>> <christophe@cattlegrid.net> said:
>>
>> > I don't see why adding a md5dsum_are_mandatory clause to the
>> > debian policy would be difficult (what would be a good reason to
>> > not add md5sum to a package?).
>>
>> Because it buys little security wise? Because there are solutions
>> one can put in place today that offer better coverage than in
>> package md5sums?
> First off, little security is better than no security.
I can turn that around and say that a false sense of security
is worse than a paranoid admin knowing there is no real security.
> Second, it's not only useful for security, it's useful for integrity
> checking (which is not always related). Third, other solutions
> (calculating md5sums on install, running tripwire/aide, etc.) might
> be computational intensive and might need to be ruled out in some
> (critical) systems.
How big a domain are we talking about? A mission critical
system where it is not feasible to compute md5sums, nor maintain a
cache of installed .debs, nor have access to a faster/non production
system where md5sums can be calculated?
Why are we basing our design on a small subset like this, and
ignoring issue of archive bloat and bandwidth consumption that
impacts an arguably larger set of people?
> Finally, there's one thing md5sums in packages can provide that no
> other solution proposed in this thread can: a database of known good
> signatures [1].
Uhhh -- if this were indeed important, it is easy to generate
such a list from a known good set of .debs. Why exactly is
publishing such a list usefule, and not mere make work?
> Many vendors [2] provide a full list of valid md5sums for their
> operating systems which enables investigators to determine if a file
> belongs to the system or it has been modified.
If you want a list of such files, we have it now. If you want
to do a security audit, the md5sum is useless. An integrity check
could perhaps use this, and most systems would be better off with
DPkg::Post-Invoke {
"debsums --generate=nocheck -sp /var/cache/apt/archives";
};
> This is very useful in a forensic investigation since it enables a
Bullshit. In a forensic investigation you can't trust on disk
md5sums; and if you need to download the packages to verify the
md5sum, you have a better check for integrity:
# ar p blah.deb data.tar.gz | tar zfd - | grep 'Contents differ'
> So my vote goes to adding md5sums to policy.
We still don't vote on technical issues, thank god.
manoj
--
When in doubt, parenthesize. At the very least it will let some poor
schmuck bounce on the % key in vi. --Larry Wall in the perl man page
Manoj Srivastava <srivasta@debian.org> <http://www.debian.org/%7Esrivasta/>
1024R/C7261095 print CB D9 F4 12 68 07 E4 05 CC 2D 27 12 1D F5 E8 6E
1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C
Reply to: