Bug#223772: Antwort: Re: Bug#223772: general: no md5sums for many packages (e.g. bc)

To: Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>
Cc: 223772@bugs.debian.org, matthias.hofer@arz.co.at
Subject: Bug#223772: Antwort: Re: Bug#223772: general: no md5sums for many packages (e.g. bc)
From: werner.thoeni@arz.co.at
Date: Wed, 17 Dec 2003 18:34:41 +0100
Message-id: <[🔎] OF07082747.EA941027-ONC1256DFF.005FAC72-C1256DFF.006095E5@arz.co.at>
Reply-to: werner.thoeni@arz.co.at, 223772@bugs.debian.org
In-reply-to: <[🔎] 878ylc8w8g.fsf@mrvn.homelinux.org>

Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de> schrieb am 16.12.2003 19:15:43:
now it is getting clearer. we are talking about different things.
I'm talking about the md5sums files in the directory /var/lib/dpkg/info. You talk about the md5 sum of the whole package (MD5sum).

so what I like to say is, that for the debian package bc (and many others) there is no file /var/lib/dpkg/info/bc.md5sums in place. this file is checked and used by the tool debsums. that is the thing I'm claiming about.

regards Werner
> werner.thoeni@arz.co.at writes: > > > goswin, > > > werner.thoeni@arz.co.at writes: > > > > > > > Subject: general: no md5sums for many packages (e.g. bc) > > > > Package: general > > > > Version: N/A; reported 2003-12-12 > > > > Severity: normal > > > > Tags: security > > > > > > Every package has a md5sum in the Package file. > > the answer is not correct. pls see as an example the package bc with version > > 1.06-8 or bzip2 version 1.0.2-1, .... > > Package: bc > Version: 1.06-12 > MD5sum: 9e9945dd5b84b14658c179c2b04c7b89 > > _EVERY_ deb has a md5sum in the Packages file. > > > > Some packages have a useless and space wasting md5sums file inside the > > > package. Due to its uselessness the existance is rather a bug than its > > > omission. > > i don't understand your comment above. why is the md5sums file useless and > > space wasting especially in terms of security? until now, I was of the > > opinion, that the md5sum gives me the guarantee that a debian package is not > > penetrated before installation and further - after having the packages > > installed on a machine - the md5sum files give me the confidence that the > > debian binaries are correct and consistent. > > Any attacker would surely change the md5sums file along with changing > the actual files. Nothing guards againt the md5sums file getting > changed intentionally or accidentally. > > Only the global md5sum in the Packages file says the file got not > changed since, well, since the Packages file was generated. Since > nothing checks the Release.gpg signature (wihtout apt-secure > installed) thats not much more secure either. But you can make sure > its not changed since ftp-master.debian.org generated the file. > > MfG > Goswin

Reply to:

Follow-Ups:
- Bug#223772: Antwort: Re: Bug#223772: general: no md5sums for many packages (e.g. bc)
  - From: Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>

References:
- Bug#223772: general: no md5sums for many packages (e.g. bc)
  - From: Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>

Prev by Date: Bug#223772: Antwort: Re: Bug#223772: general: no md5sums for many packages (e.g. bc)
Next by Date: Re: Changes in formal naming for NetBSD porting effort(s)
Previous by thread: Re: Bug#223772: general: no md5sums for many packages (e.g. bc)
Next by thread: Bug#223772: Antwort: Re: Bug#223772: general: no md5sums for many packages (e.g. bc)
Index(es):
- Date
- Thread