Re: Bug#540215: Introduce dh_checksums

To: debian-devel@lists.debian.org
Subject: Re: Bug#540215: Introduce dh_checksums
From: Harald Braumann <harry@unheit.net>
Date: Tue, 9 Mar 2010 13:59:20 +0100
Message-id: <[🔎] 20100309125920.GC15017@nn.nn>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 20100309034954.GA4125@gnu.kitenet.net>
References: <[🔎] 1267650344.8266.262.camel@solid.paris.klabs.be> <[🔎] 87bpf3vrai.fsf@qurzaw.linpro.no> <[🔎] 1268066168.21347.9661.camel@solid.paris.klabs.be> <[🔎] 87wrxmbkdn.fsf@windlord.stanford.edu> <[🔎] 1268085864.21347.11498.camel@solid.paris.klabs.be> <[🔎] 87d3zea1fu.fsf@windlord.stanford.edu> <[🔎] 20100308225913.GA25043@gnu.kitenet.net> <[🔎] 20100309033842.GB15017@nn.nn> <[🔎] 87k4tmupju.fsf@windlord.stanford.edu> <[🔎] 20100309034954.GA4125@gnu.kitenet.net>

On Mon, Mar 08, 2010 at 10:49:54PM -0500, Joey Hess wrote:
> Russ Allbery wrote:
> > It's also always worth bearing in mind that while a really good attacker
> > can do all sorts of complex things that make them very hard to find, most
> > attackers are stupid and straightforward.
> 
> It's stupid and straightforward to install /usr/local/bin/ls. debsums
> will not detect it.

And it's as straightforward to find files which don't belong to any
package and have some other means in place to check locally generated
files.

If I understand you correctly, you argue that one would need some IDS
anyway to cover all files, and that could then be used also to verify
package files. Therefore making file signatures in packages
superfluous. I think I could agree with that. On the other hand, I
tend to keep /usr/local clean and create packages for for home-grown
software. If you do this consistently, you'd get a system where you
could verify all files without additional software (modulo the script
that checks for surplus files).

More important  would be package signatures, anyway,  because
currently there is no way to verify a package. I work with
testing/unstable a lot and often I have deb files lying around are
not in any Release, so there is no way of verifying them.

harry

Reply to:

Follow-Ups:
- Re: Bug#540215: Introduce dh_checksums
  - From: "Bernhard R. Link" <brlink@debian.org>
- Re: Bug#540215: Introduce dh_checksums
  - From: Joey Hess <joeyh@debian.org>

References:
- Re: md5sums files
  - From: Frank Lin PIAT <fpiat@klabs.be>
- Re: md5sums files
  - From: Tollef Fog Heen <tfheen@err.no>
- Bug#540215: Introduce dh_checksums
  - From: Frank Lin PIAT <fpiat@klabs.be>
- Re: Bug#540215: Introduce dh_checksums
  - From: Russ Allbery <rra@debian.org>
- Re: Bug#540215: Introduce dh_checksums
  - From: Frank Lin PIAT <fpiat@klabs.be>
- Re: Bug#540215: Introduce dh_checksums
  - From: Russ Allbery <rra@debian.org>
- Re: Bug#540215: Introduce dh_checksums
  - From: Joey Hess <joeyh@debian.org>
- Re: Bug#540215: Introduce dh_checksums
  - From: Harald Braumann <harry@unheit.net>
- Re: Bug#540215: Introduce dh_checksums
  - From: Russ Allbery <rra@debian.org>
- Re: Bug#540215: Introduce dh_checksums
  - From: Joey Hess <joeyh@debian.org>

Prev by Date: Bug#573149: ITP: merlin -- Module for Effortless Redundancy and Loadbalancing In Nagios
Next by Date: Re: Bug#540215: Introduce dh_checksums
Previous by thread: Re: Bug#540215: Introduce dh_checksums
Next by thread: Re: Bug#540215: Introduce dh_checksums
Index(es):
- Date
- Thread