Re: are md5sums mandatory for all packages?
On 19 Dec 1997, Milan Zamazal wrote:
> >>>>> "MS" == Manoj Srivastava <srivasta@datasync.com> writes:
>
> MS: I still fail to see any advantages in what even you
> MS: admit is a half baked security solution. There is a better, more
> MS: secure, real solution in terms of tripwire.
>
> But we have none -- tripwire is non-free software.
>
> Dpkg md5sums could be more simple for a user (just typing
> `dpkg --check-md5sums'). On my home system I'm not interested in
> security, I may only want to check the system e.g. after some HW
> accident. I don't know whether such a thing is much useful (I didn't
> need it yet), but if it is easy to implement, why not to add this
> facility?
I agree with these points. It would IMHO be a good thing to be able to let
dpkg perform some kind of integrity scan on installed packages.
Of course, it can't match with tools like tripwire, if Real Security is a
concern. But what about the clueless beginner, who has to learn everything
and might occasionally break parts of his system, the unfortunate owner of
a piece of hardware that turns out to be unreliable or the sysadmin who
wants a quick overview of changes she has made to the default
installation? They would be helped a lot if dpkg had the features to do a
scan on presence, permissions, ownership and md5sums. IMO the md5sums
wouldn't even be as useful as the other checks.
The advantages of an integrity-checking extension to dpkg as I see are:
- is quite a basic function for a packaging system anyway;
- would be of practical value to all kinds of users;
- no need to install and configure tripwire if you only want simple
configuration integrity tracking.
If people fid that all this information would require too much storage
space, then settings in /etc/dpkg/dpkg.conf could keep dpkg from storing
the data. BTW, if space is so much a concern, then a similar switch ala
"write-in-/usr/doc" would do nicely in /etc/dpkg/dpkg.conf.
Cheers,
Joost
Reply to: