[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: debsums for maintainer scripts

On 04 Dec 2003 02:44:31 +0100, Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de> said: 

> "Bernhard R. Link" <blink@informatik.uni-freiburg.de> writes:
>> * Manoj Srivastava <srivasta@debian.org> [031203 20:12]:
>> > 	Before we make such a push, we should at least ensure that it
>> >  is something we really want to do. I think locally generated
>> >  checksums are a better solution.
>>
>> I don't think so. md5-calculation it not the fastest thing
>> (especially on non-i386 it often feels like downloading and
>> installing together needs less time than the md5sum-verification.
>> So this should be switched off, but then it will be missing when
>> one needs them.

> The md5sum file should be generated at build time, signed and only
> the signature kept. The signature is small enough not to cause
> bloat, it can be included in the Package file or a Signatures.gz
> file containing all signatures could be maintained in the archive.

	Good, except that now we have no checksum checks for the most
 critical files on my system -- the ones that tailor all software that
 runs to my environment. Generating the md5sums on install for atleast
 the conffiles should still be considered, since the checksums for the
 conffiles on my system often bear little resemblance to the md5sums
 for the conffiles shipped with the package.

> When one needs to verify the md5sum files can be generated
> (dpkg-repack and then generate them) and compared.

	Why dpkg-repack?
__> cat /var/lib/dpkg/info/mailagent.list | while read i; do test -f $i \
      &&&& md5sum $i; done
c1188623038c4ae8b0b94b7718ed33d4  /usr/bin/mailpatch
448fa9faf25a526231944b5c19d85305  /usr/bin/mailhelp
21da2125bd7dd23885b4ae929187b6a4  /usr/bin/maillist
ffd68a1d6b7e8cc3bf20466fb37ef03d  /usr/bin/maildist
c709fd09363185e556c64be2c81ff6fb  /usr/bin/package
39437a68a2dc5501b3fc37458219fcc8  /usr/bin/edusers
66dbd5e38b2c05241b103db274399576  /usr/bin/mailagent
 ....

> Or the files can be generated at install time and stored
> too. Intrusion detection systems could use those files then since
> the signature preventstampering. It would be the users choice.

	manoj
-- 
Now she speaks rapidly.  "Do you know *why* you want to program?" He
shakes his head.  He hasn't the faintest idea. "For the sheer *joy* of
programming!" she cries triumphantly.  "The joy of the parent, the
artist, the craftsman.  "You take a program, born weak and impotent as
a dimly-realized solution.  You nurture the program and guide it down
the right path, building, watching it grow ever stronger.  Sometimes
you paint with tiny strokes, a keystroke added here, a keystroke
changed there."  She sweeps her arm in a wide arc.  "And other times
you savage whole *blocks* of code, ripping out the program's very
*essence*, then beginning anew.  But always building, creating,
filling the program with your own personal stamp, your own quirks and
nuances.  Watching the program grow stronger, patching it when it
crashes, until finally it can stand alone -- proud, powerful, and
perfect.  This is the programmer's finest hour!"  Softly at first,
then louder, he hears the strains of a Sousa march.  "This ... this is
your canvas! your clay!  Go forth and create a masterwork!"
Manoj Srivastava   <srivasta@debian.org>  <http://www.debian.org/%7Esrivasta/>
1024R/C7261095 print CB D9 F4 12 68 07 E4 05  CC 2D 27 12 1D F5 E8 6E
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C
Reply to: