Re: are md5sums mandatory for all packages?

To: Debian Policy <debian-policy@lists.debian.org>
Subject: Re: are md5sums mandatory for all packages?
From: Manoj Srivastava <srivasta@datasync.com>
Date: 18 Dec 1997 02:19:07 -0600
Message-id: <[🔎] 871zzbkqro.fsf@tiamat.datasync.com>
In-reply-to: Radu Duta's message of "Thu, 18 Dec 1997 10:17:24 +1300"
References: <[🔎] Pine.LNX.3.96.971216142305.4952D-100000@monet> <[🔎] 87iusoo72i.fsf@tiamat.datasync.com> <[🔎] 19971218101724.47441@xtra.co.nz>

Hi,
>>"Radu" == Radu Duta <rduta@xtra.co.nz> writes:

Radu> On Tue, Dec 16, 1997 at 11:46:29PM -0600, Manoj Srivastava
Radu> wrote:
>>  The adddition of the md5sums has come up before. Personally, I
>> think the utility is limited, given the presence of tripwire, which
>> goes much further to ensure the integrity of the system (For
>> example: a bad guy changes /usr/sbin/foo *and*
>> /var/lib/dpkg/info/foo.md5sum, you shall not be any wiser; and you
>> can't put /var/lib/dpkg/info on a read only media).

Radu> Hmm, well my intention for the md5sums is a bit different.  I'd
Radu> like to use them to 1)check package integrity, and 2)check for
Radu> modified configuration files.  Tripwire is fine, and you'd still
Radu> have to run tripwire.

	Package integrity checking: the whole package has a md5sum,
 and quite widely published at that. If the md5sum does not match, I
 do not install it (actually, I have a script that runs over my local
 mirror ...). This is easy. It exists.

	Secondly, if I am concerned about security and file integrity,
 I use tripwire, and write protect the media the database is on. The
 bad person modifying /usr/bin/make can very well alter
 /var/lib/dpkg/info/make.md5sum as well. 

	Thridly, the conf file md5sums are already stored by dpkg,
 without all the duplication you are advocating. (have you really
 looked at the contents of /var/lib/dpkg/info/?).

Radu> For example.  I install the base system, and it has /etc/fstab
Radu> as one of the files.  That file gets installed and modified
Radu> before tripwire gets installed, so tripwire couldn't manage it.
Radu> This also applies to installed packages where configuration
Radu> files where modified before tripwire got a chance to manage
Radu> them.

	Umm, and you did not check the md5sum of the package before
 (or at least, after, at your leisure) you installed it? Why not? You
 realize that any amount of after the fact per file checking could be
 too late? 

	Are you really getting any security from this, or are we just
 trying for for warm fuzzy feelings?

 manoj
 who believes people should really leave security to the security experts
-- 
 "William Safire would have a cow, but somehow that doesn't disturb
 me." Evan Hunt (evanh@sco.com)
Manoj Srivastava  <srivasta@acm.org> <http://www.datasync.com/%7Esrivasta/>
Key C7261095 fingerprint = CB D9 F4 12 68 07 E4 05  CC 2D 27 12 1D F5 E8 6E

Reply to:

Follow-Ups:
- Re: are md5sums mandatory for all packages?
  - From: Radu Duta <rduta@xtra.co.nz>

References:
- Re: are md5sums mandatory for all packages?
  - From: Christian Schwarz <schwarz@monet.m.isar.de>
- Re: are md5sums mandatory for all packages?
  - From: Manoj Srivastava <srivasta@datasync.com>
- Re: are md5sums mandatory for all packages?
  - From: Radu Duta <rduta@xtra.co.nz>

Prev by Date: Re: Policy for group ownership of games (Was: Re: Bug#15846: rocks-n-diamonds: errors on startup)
Next by Date: Re: Policy for group ownership of games (Was: Re: Bug#15846: rocks-n-diamonds: errors on startup)
Previous by thread: Re: are md5sums mandatory for all packages?
Next by thread: Re: are md5sums mandatory for all packages?
Index(es):
- Date
- Thread