[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: please, let's *completely* drop md5sums for buster (was Re: no-strong-digests-in-dsc MBF)

On 22.01.2017 12:34, Bernd Zeimetz wrote:
> afaik people are criticizing that there are still (only) md5sum files in
> /var/lib/dpkg/info. As dpkg --verify uses them, it might indeed make
> sense to replace them.
> (yes, dpkg is not an IDS, but better than nothing...).

Originally the thread was about hashes in .dscs, but okay. What exactly
does that help given that the md5sums can just be modified locally?

Right now we don't keep the file size in dpkg's database. We keep
md5sums in an easily modifyable place. We don't easily allow people to
download just the md5sums information that you'd need to independently
verify the files on the system.

We could of course start by providing another hash type, but given the
purpose for why we have md5sums for installed files in the first place
(detecting file corruption and modification of files vs. what has been
installed by the package manager) a different hash type is not going to

Sure, we could assume for a moment that the attacker could not tamper
with the md5sums because the admin implemented an elaborate
SELinux-based scheme that denies modification of the md5sum files on
disk except when dpkg is invoked. In this case having also the size or a
combination of hashes would make me more comfortable.

Anyway, that said, is there a bug on this on the dpkg side already?

Kind regards
Philipp Kern

Reply to: