Bug#223772: general: no md5sums for many packages (e.g. bc)
werner.thoeni@arz.co.at writes:
> goswin,
> > werner.thoeni@arz.co.at writes:
> >
> > > Subject: general: no md5sums for many packages (e.g. bc)
> > > Package: general
> > > Version: N/A; reported 2003-12-12
> > > Severity: normal
> > > Tags: security
> >
> > Every package has a md5sum in the Package file.
> the answer is not correct. pls see as an example the package bc with version
> 1.06-8 or bzip2 version 1.0.2-1, ....
Package: bc
Version: 1.06-12
MD5sum: 9e9945dd5b84b14658c179c2b04c7b89
_EVERY_ deb has a md5sum in the Packages file.
> > Some packages have a useless and space wasting md5sums file inside the
> > package. Due to its uselessness the existance is rather a bug than its
> > omission.
> i don't understand your comment above. why is the md5sums file useless and
> space wasting especially in terms of security? until now, I was of the
> opinion, that the md5sum gives me the guarantee that a debian package is not
> penetrated before installation and further - after having the packages
> installed on a machine - the md5sum files give me the confidence that the
> debian binaries are correct and consistent.
Any attacker would surely change the md5sums file along with changing
the actual files. Nothing guards againt the md5sums file getting
changed intentionally or accidentally.
Only the global md5sum in the Packages file says the file got not
changed since, well, since the Packages file was generated. Since
nothing checks the Release.gpg signature (wihtout apt-secure
installed) thats not much more secure either. But you can make sure
its not changed since ftp-master.debian.org generated the file.
MfG
Goswin
Reply to: