Re: Bug#223772: general: no md5sums for many packages (e.g. bc)
Scripsit werner.thoeni@arz.co.at
> why is the md5sums file useless and space wasting especially in
> terms of security? until now, I was of the opinion, that the md5sum
> gives me the guarantee that a debian package is not penetrated
> before installation
No, that's what the checksum of the entire .deb file in the Packages
file is there for.
An attacker who can tamper with /usr/bin/foo within the .deb can just
as easily tamper with the md5sums file within the .deb.
> and further - after having the packages installed on a machine - the
> md5sum files give me the confidence that the debian binaries are
> correct and consistent.
No. An attacker who changes the binaries can just as easily change the
md5sum files stored in /var/lib/dpkg/info.
If you go to a trusted copy of the .deb file for verifying your
binaries, you have the original binaries right there, and do not need
precomputed checksums for comparing them bit-for-bit with what's on
your disk.
It has been argued on debian-devel (read the thread!) that the md5sums
files can be handy to have for detection of non-malicious random acts
of God. But the sense of *security* gained by having the .deb install
a set of checksums on the same machine as the package itself is false.
-- 
Henning Makholm                             "Det er du nok fandens ene om at
                                         mene. For det ligger i Australien!"
Reply to: