[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: md5sums files... and beyond


In case anyone wonders about the status of replacing md5sums with
something stronger _in_ the binary packages, this should be considered
to be suspended until the next development cycle. (at least, from my

It have been pointed out that those current checksum aren't sufficient
to validate that an installed package is secure (quoting Joey Hess:
"there are innumerable ways for an attacker to inject bad
behavior/backdoors onto a system without touching binaries originating
from dpkg."[1] and "it's also fairly easy to modify a file in /etc to
provide a backdoor" ...)

Therefore, it should be clear that there is no urgency in replacing
DEBIAN/md5sums as they are  "useful for corruption and local (benign)
modification checksumming." (quoting Russ Allbery[2]).

The initial proposal to replace md5sum with ${better}sum:
should be enhanced with further meta-data. A very early draft is:



On Thu, 2010-03-11 at 00:44 +0100, Frank Lin PIAT wrote:
> On Wed, 2010-03-03 at 03:06 +0100, Wouter Verhelst wrote:
> > 
> > I must say I was somewhat surprised by these numbers. Out of 2483
> > packages installed on my laptop, 2340 install md5sums. While that
> > might've been useful at some point, I don't think it still is.
> Hi all,
> Can you think of any sensible reason for not including md5sums of
> control files, especially the {pre,post}{inst,rm} scripts ?
> In the shasum file, those files could be either:
>  1. inserted, with the patch rewritten to match their expected 
>     location on the target system.
> or
>  2. inserted as a *comment* in the shasum file, like:
>     #68b329da9893e34099c7d8ad5cb9c940 CONTROL.TAR:postinst

[1] [🔎] 20100308225913.GA25043@gnu.kitenet.net">http://lists.debian.org/msgid-search/[🔎] 20100308225913.GA25043@gnu.kitenet.net
[2] [🔎] 87wrxmbkdn.fsf@windlord.stanford.edu">http://lists.debian.org/msgid-search/[🔎] 87wrxmbkdn.fsf@windlord.stanford.edu

Reply to: