Re: proposed release goal: DEBIAN/md5sums for all packages

To: debian-devel@lists.debian.org
Subject: Re: proposed release goal: DEBIAN/md5sums for all packages
From: Russ Allbery <rra@debian.org>
Date: Fri, 17 Aug 2007 16:47:38 -0700
Message-id: <[🔎] 87eji1pvtx.fsf@windlord.stanford.edu>
In-reply-to: <[🔎] 20070817220528.GB3661@p12n.org> (Peter Samuelson's message of "Fri, 17 Aug 2007 17:05:28 -0500")
References: <20070817064236.GA6351@takhisis.invalid> <46C5486D.8010108@debian.org> <[🔎] 20070817074350.GA11870@takhisis.invalid> <[🔎] 878x8afut3.fsf@elegiac.orebokech.com> <[🔎] 1187340611.17800.38.camel@dorfl.lan> <[🔎] 20070817220528.GB3661@p12n.org>

Peter Samuelson <peter@p12n.org> writes:

> I'd opt for dpkg generating the checksums upon _extracting_ the .deb
> file.  We already claim that the md5sums file isn't supposed to be any
> kind of security thing.  Why bother to ship it?  It is redundant
> information which can easily be regenerated on the user's system.

While it's not the be-all and end-all of security, other OS vendors (Sun
in particular) have found it useful to make available a central database
of MD5 checksums of known-good versions of various binaries.  This has
proven invaluable in not a few breakins and compromises when doing
forensics.  Since we have such a database essentially for free now in the
form of the md5sums control files, I'd rather not take an approach that
gets rid of it, even if it isn't a horribly effective security measure.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to:

Follow-Ups:
- Re: proposed release goal: DEBIAN/md5sums for all packages
  - From: Peter Samuelson <peter@p12n.org>
- Re: proposed release goal: DEBIAN/md5sums for all packages
  - From: Javier Fernández-Sanguino Peña <jfs@computer.org>

References:
- Re: proposed release goal: DEBIAN/md5sums for all packages
  - From: Stefano Zacchiroli <zack@debian.org>
- Re: proposed release goal: DEBIAN/md5sums for all packages
  - From: Romain Francoise <rfrancoise@debian.org>
- Re: proposed release goal: DEBIAN/md5sums for all packages
  - From: Lars Wirzenius <liw@iki.fi>
- Re: proposed release goal: DEBIAN/md5sums for all packages
  - From: Peter Samuelson <peter@p12n.org>

Prev by Date: Re: proposed release goal: DEBIAN/md5sums for all packages
Next by Date: Re: proposed release goal: DEBIAN/md5sums for all packages
Previous by thread: Re: proposed release goal: DEBIAN/md5sums for all packages
Next by thread: Re: proposed release goal: DEBIAN/md5sums for all packages
Index(es):
- Date
- Thread