Re: md5sums

To: debian-policy@lists.debian.org
Subject: Re: md5sums
From: Charles Briscoe-Smith <cpbs@debian.org>
Date: Thu, 3 Dec 1998 17:08:01 GMT
Message-id: <[🔎] 199812031708.RAA04341@pcsw104b.ukc.ac.uk>
Mail-followup-to: debian-policy@lists.debian.org
In-reply-to: <[🔎] 87pva2v2n4.fsf@tiamat.golden-gryphon.com>

srivasta@datasync.com (Manoj Srivastava) wrote:
> Charles> to check whether you have mistakenly edited an installed script which
> Charles> wasn't a conffile,
>
>	Ok. But this is not an operation that everyone wants (I
> personally have never needed to do that -- and I can, since I have a
> local mirror, and I can use dpkg --unpac in /tmp and compare
> files). Given that there are old, slow, and low disk space machines
> out there, one should not push all this to every machine out there. 

First, I -did- suggest that it should be optional.

Second, I've never "needed" to do this either, but if the option was
there, I'd probably use it to verify my system against accidental breakage
every so often.

> Charles> For detecting accidental deletions, I agree with those who've said
> Charles> that there's no point including this information in the package.
>
>	That information is already tracked. Look at
> /var/lib/dpkg/info/*.list. You can track deletiojns using that. 

Sorry, I meant to include accidental corruptions, editings, etc.
Not -just- deletions.

>                                                        Again, if it
> is on the machine, then malicous crackers can crrupt the md5sum
> database too.

As I said, that kind of scheme is not and cannot be proof against
attackers, only against accidents.  My machine isn't connected to the
net and is physically pretty secure, so I have no problem with that.

>	Congratulations. You have just reinvented tripwire. more or less. 

Sorry about that.  I don't know every package under the sun; tripwire
is one of those (many) packages I have never got round to trying.
(Probably in part because it's non-free, and I'm trying to avoid becoming
dependent on new bits of non-free software.)  Apart from being non-free,
it doesn't seem to be quite the tool I want; it checks (I gather) against
a previously recorded state of the system, not against the contents of
the packages the system was installed from.

But back to the plot.  What I was trying to say was:

  IF md5sums are included in .deb files (IMO they shouldn't) OR if they
     are generated and stored by dpkg (IMO they shoud optionally be) OR
     if they are stored on the mirror network together with a detatched
     sig (as you suggest),

  THEN they should be accompainied by mod times, sizes, ownerships,
     modes and symlink destinations.  Basically, everything that can
     be stored in a tar file, except the actual file contents, which is
     checksummed instead.

That probably wasn't worth the time I've spent writing about it, but I
didn't want it to get forgotten.

Cheers,

-- 
Charles Briscoe-Smith
White pages entry, with PGP key: <URL:http://alethea.ukc.ac.uk/wp?95cpb4>
PGP public keyprint: 74 68 AB 2E 1C 60 22 94  B8 21 2D 01 DE 66 13 E2

Reply to:

Follow-Ups:
- Re: md5sums
  - From: cwitty@newtonlabs.com (Carl R. Witty)

References:
- Re: md5sums
  - From: Manoj Srivastava <srivasta@datasync.com>

Prev by Date: Bug#30122: PROPOSED] Fix bad advice about conffile management
Next by Date: Re: PW#5-12: New upload procedure
Previous by thread: Re: md5sums
Next by thread: Re: md5sums
Index(es):
- Date
- Thread