Re: md5sums files... and beyond

To: Debian Devel <debian-devel@lists.debian.org>
Subject: Re: md5sums files... and beyond
From: Frank Lin PIAT <fpiat@klabs.be>
Date: Tue, 30 Mar 2010 22:57:57 +0200
Message-id: <[🔎] 1269982677.3574.252.camel@solid.paris.klabs.be>
In-reply-to: <[🔎] 1268264672.3291.3654.camel@solid.paris.klabs.be>
References: <[🔎] 20100303020620.GA17083@celtic.nixsys.be> <[🔎] 1268264672.3291.3654.camel@solid.paris.klabs.be>

Hi,

In case anyone wonders about the status of replacing md5sums with
something stronger _in_ the binary packages, this should be considered
to be suspended until the next development cycle. (at least, from my
PoV).

It have been pointed out that those current checksum aren't sufficient
to validate that an installed package is secure (quoting Joey Hess:
"there are innumerable ways for an attacker to inject bad
behavior/backdoors onto a system without touching binaries originating
from dpkg."[1] and "it's also fairly easy to modify a file in /etc to
provide a backdoor" ...)

Therefore, it should be clear that there is no urgency in replacing
DEBIAN/md5sums as they are  "useful for corruption and local (benign)
modification checksumming." (quoting Russ Allbery[2]).

The initial proposal to replace md5sum with ${better}sum:
  http://wiki.debian.org/Sha256sumsInPackages
should be enhanced with further meta-data. A very early draft is:
  http://wiki.debian.org/Proposals/BinaryPackageDescriptor

Regards,

Franklin

On Thu, 2010-03-11 at 00:44 +0100, Frank Lin PIAT wrote:
> On Wed, 2010-03-03 at 03:06 +0100, Wouter Verhelst wrote:
> > 
> > I must say I was somewhat surprised by these numbers. Out of 2483
> > packages installed on my laptop, 2340 install md5sums. While that
> > might've been useful at some point, I don't think it still is.
> 
> Hi all,
> 
> Can you think of any sensible reason for not including md5sums of
> control files, especially the {pre,post}{inst,rm} scripts ?
> 
> In the shasum file, those files could be either:
>  1. inserted, with the patch rewritten to match their expected 
>     location on the target system.
> or
>  2. inserted as a *comment* in the shasum file, like:
>     #68b329da9893e34099c7d8ad5cb9c940 CONTROL.TAR:postinst

[1] [🔎] 20100308225913.GA25043@gnu.kitenet.net">http://lists.debian.org/msgid-search/[🔎] 20100308225913.GA25043@gnu.kitenet.net
[2] [🔎] 87wrxmbkdn.fsf@windlord.stanford.edu">http://lists.debian.org/msgid-search/[🔎] 87wrxmbkdn.fsf@windlord.stanford.edu

Reply to:

References:
- md5sums files
  - From: Wouter Verhelst <wouter@debian.org>
- Re: md5sums files
  - From: Frank Lin PIAT <fpiat@klabs.be>

Prev by Date: Bug#575953: ITP: gmock -- Google's framework for writing and using C++ mock classes
Next by Date: Bug#575964: ITP: portlet-api-2.0-spec -- Java Portlet Specification V2.0
Previous by thread: Re: md5sums files
Next by thread: Bug#572325: ITP: xjobs -- reads job descriptions line by line and executes them in parallel
Index(es):
- Date
- Thread