Re: debsums for maintainer scripts
Anthony DeRobertis <email@example.com> writes:
> On Thu, 2003-12-04 at 19:06, Goswin von Brederlow wrote:
> > > Actually, I think the biggest benefit of md5sums is that while
> > > attackers certainly could modify them, often they don't. While passing
> > > debsums certainly can't prove the integrity of a system, debsums
> > > failing can certainly prove the lack of integrity.
> > And the next rootkit will change md5sums files too...
> rpm has had md5sums for a good, long time. Yet, when someone asks me
> 'why did my box break', its amazing how many times asking rpm to verify
> the md5sums finds ps, ls, etc. modified.
> Most attackers I've had to clean up after don't have a CLUE as to what
> they're doing. I find it difficult to believe that will change.
As soon as Debian starts to automatically check md5sums any attack
with half a chance has to do it.
The only reason attackers don't do it is because with rpm noone cares
about the md5sums.
> > > And they do help when you suspect hardware troubles, too.
> > Having md5sums signatures instead of files _inside_ the deb doesn't
> > prevent that.
> If I have md5sums of each file, I know which files are damaged. That's
> quite different than knowing "something in xserver-xfree86 changed."
Or the md5sum file was damaged.
With the signatures you have 3 options:
1. don't care: I use some other intrusion detection system
2. get a bloddy nose: hacks never happens, but damn now it did.
I compute the md5sums of all files on the system and check against
the signature. That gives me every suspec package. I can download
the deb again or fetch the proper md5sum file from some other place
(any place since the signature verifies it) to get details.
3. I care: Compute the md5sum lists during install. You spend some
minimal cpu time (the gunzip | tar and disk IO takes more time than
md5sum) for the benefit of pinpointing the changed files emidiatly.
You have to spend some time and space if you want this.
With just the md5sum file you only have option 3 and only for
accidental tampering. For a security audit you need pristine debs.
PS: even if debian had md5sum lists for each package they would be
only current packages and not older version you would have installed.
A signature inside the deb would last.