On Fri, Aug 24, 2007 at 03:16:28PM +0200, Goswin von Brederlow wrote: > I fail to see any reason to HAVE a md5sums file. It looks like you have not read all the thread, other's have made some good points as to why it's good. Just in case I'm going to voice my opinion here again and see if I can convicen you (and other's listening) :) > The md5sum file in / var/lib/dpkg/info/ (or wherever you put it on the > users system) is not protected and therefore useless as a security > device. Fetching a md5sum file you can trust means fetching (at least > partially) the deb and then you can just compare the files one by one. "Useless sercurity device" is an overstatemente here. One of security's fundamental corner stones is 'integrity'. System integrity can be lost due to: - a person without a malicious intent accidentally or on purpose changes the system, e.g. a novice admin that modified a script at /usr/bin installed by a package or redirected his stderr to a file he shouldn't have after mistyping a command. - uncontrolled accidents or disasters, e.g. hard disk / memory corruption in a system which makes it incorrectly write to disk a binary unpackaged from a package. - somebody with malicious intent, e.g. an unautorised user that elevates privileges and installs a trojan I do agree that the last case is probably only handled well with a signed hash database in a read only media (the Debian Security Manual gives some examples) but the two others can be served quite well just by including md5sum files in packages. So, md5sums *do* serve a security purpose even if they are not able to stop a determined cracker from violating the system's integrity in a way we cannot detect it. FWIW, IMHO the forst type of integrity losses are more common than the last. > Also the md5sum file can be generated at install time if wanted. The > cost of computing the md5sum on the fly is quite insignificant on most > systems. Some computing systems cannot incur the cost (please read the thread). What do you think is (globally) more CPU-concious: compute once (in the buildds) and put in a file for everybody to use or compute once in every system the package is installed on. There might be hundreds of build systems (including the developer's Debian systems where packages are built) but there are thousands of users. It is quite obvious to me that we are saving energy if we just distribute them instead of forcing our end-users to recompute them. Energy is a scarse resources, save the planet! :) > So why waste all the mirror space and bandwith for something rather > useless? "Waste all" seems like a very bad phrase. The impact in our archive of mandating md5sums or sha1sums in packages when most *already* do that is neligible. From http://blog.orebokech.com/2007/08/debian-packages-without-md5sums.html: "Random testing of my local Debian mirror shows that 644 binary packages out of 20774 (3.1%) are missing the DEBIAN/md5sums control file." If you want to go through the "space and bandwidth" road please provide some data to back it up. How much space do we munge if we *add* md5sums to packages that don't have that information already? Also: How much space do we save if we *remove* md5sums from all packages? Just my 2c, Javier
Attachment:
signature.asc
Description: Digital signature