Re: are md5sums mandatory for all packages?
On Thu, Dec 18, 1997 at 02:19:07AM -0600, Manoj Srivastava wrote:
>Radu> Hmm, well my intention for the md5sums is a bit different. I'd
>Radu> like to use them to 1)check package integrity, and 2)check for
>Radu> modified configuration files. Tripwire is fine, and you'd still
>Radu> have to run tripwire.
>
> Package integrity checking: the whole package has a md5sum,
After the package has been installed, not the *.deb file.
I'd prefer not to have to keep all the *.deb files around and then do
diffs.
> and quite widely published at that. If the md5sum does not match, I
> do not install it (actually, I have a script that runs over my local
> mirror ...). This is easy. It exists.
sure fine, that's what the md5sum on the *.deb is useful for.
> Secondly, if I am concerned about security and file integrity,
> I use tripwire, and write protect the media the database is on. The
> bad person modifying /usr/bin/make can very well alter
> /var/lib/dpkg/info/make.md5sum as well.
Fine, totaly different issues. The /var/lib/dpkg/info/make.md5sum is
not used for security purposes, but post instalation integrity
checking and modification checking (excluding malicious mods).
> Thridly, the conf file md5sums are already stored by dpkg,
> without all the duplication you are advocating. (have you really
> looked at the contents of /var/lib/dpkg/info/?).
I have, have you? Show me what you are talking about for the following
packages. I took the time to find 4 nice examples, so please take the
time to show me what you are talking about. Maybe I missed the obvious.
in 131 for
1)ldso 1.8.12-1
2)lpr 5.9-13.1
or in hamm for
1)ldso 1.9.6-2
2)lpr 5.9-20.2
> Are you really getting any security from this, or are we just
> trying for for warm fuzzy feelings?
No added security, nor am I trying to claim that you get any, mind you.
Radu
Reply to: