Re: debsums for maintainer scripts

[Manoj Srivastava <srivasta@debian.org>]

On Thu, 4 Dec 2003 02:29:29 +0100, Javier Fernández-Sanguino Peña <jfs@computer.org> said: 

> On Wed, Dec 03, 2003 at 04:23:33AM -0600, Manoj Srivastava wrote:
>> On Mon, 1 Dec 2003 17:12:36 -0500, christophe barbe
>> <christophe@cattlegrid.net> said:
>>
>> > I don't see why adding a md5dsum_are_mandatory clause to the
>> > debian policy would be difficult (what would be a good reason to
>> > not add md5sum to a package?).
>>
>> Because it buys little security wise? Because there are solutions
>> one can put in place today that offer better coverage than in
>> package md5sums?

> First off, little security is better than no security.

	I can turn that around and say that a false sense of security
 is worse than a paranoid admin knowing there is no real security.

> Second, it's not only useful for security, it's useful for integrity
> checking (which is not always related). Third, other solutions
> (calculating md5sums on install, running tripwire/aide, etc.)  might
> be computational intensive and might need to be ruled out in some
> (critical) systems.

	How big a domain are we talking about? A mission critical
 system where it is not feasible to compute md5sums, nor maintain a
 cache of installed .debs, nor have access to a faster/non production
 system where md5sums can be calculated?

	Why are we basing our design on a small subset like this, and
 ignoring issue of archive bloat and bandwidth consumption that
 impacts an arguably larger set of people?

> Finally, there's one thing md5sums in packages can provide that no
> other solution proposed in this thread can: a database of known good
> signatures [1].

	Uhhh -- if this were indeed important, it is easy to generate
 such a list from a known good set of .debs.  Why exactly is
 publishing such a list usefule, and not mere make work?

> Many vendors [2] provide a full list of valid md5sums for their
> operating systems which enables investigators to determine if a file
> belongs to the system or it has been modified.

	If you want a list of such files, we have it now. If you want
 to do a security audit, the md5sum is useless.  An integrity check
 could perhaps use this, and most systems would be better off with 
       DPkg::Post-Invoke {
           "debsums --generate=nocheck -sp /var/cache/apt/archives";
       };

> This is very useful in a forensic investigation since it enables a

	Bullshit. In a forensic investigation you can't trust on disk
 md5sums; and if you need to download the packages to verify the
 md5sum, you have a better check for integrity:
 # ar p  blah.deb data.tar.gz | tar zfd - | grep 'Contents differ'


> So my vote goes to adding md5sums to policy.

	We still don't vote on technical issues, thank god.

	manoj
-- 
When in doubt, parenthesize.  At the very least it will let some poor
schmuck bounce on the % key in vi. --Larry Wall in the perl man page
Manoj Srivastava   <srivasta@debian.org>  <http://www.debian.org/%7Esrivasta/>
1024R/C7261095 print CB D9 F4 12 68 07 E4 05  CC 2D 27 12 1D F5 E8 6E
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C