Re: md5sums

To: debian-policy@lists.debian.org
Subject: Re: md5sums
From: Manoj Srivastava <srivasta@datasync.com>
Date: 02 Dec 1998 12:07:27 -0600
Message-id: <[🔎] 87pva2v2n4.fsf@tiamat.golden-gryphon.com>
In-reply-to: Charles Briscoe-Smith's message of "Wed, 02 Dec 1998 15:41:29 +0000"
References: <[🔎] 199812021541.PAA08174@elm.ukc.ac.uk>

Hi, 
>>"Charles" == Charles Briscoe-Smith <cpbs@debian.org> writes:

 Charles> Hi all,
 Charles> A few thoughts about these md5sums files:

 Charles> First, what do we want file md5sums for?  As far as I know,
 Charles> the point of the md5sums is to detect accidental corruption
 Charles> of installed files:

	Trip wire does that.

 Charles> to check whether you have mistakenly edited an installed script which
 Charles> wasn't a conffile,

	Ok. But this is not an operation that everyone wants (I
 personally have never needed to do that -- and I can, since I have a
 local mirror, and I can use dpkg --unpac in /tmp and compare
 files). Given that there are old, slow, and low disk space machines
 out there, one should not push all this to every machine out there. 

 Charles> or to check which packages need reinstalling after you've
 Charles> been careless with "rm".

	This does not need md5sum files. The *.list files are enough
 for that.

 Charles> For detecting accidental deletions, I agree with those who've said that
 Charles> there's no point including this information in the package.

	That information is already tracked. Look at
 /var/lib/dpkg/info/*.list. You can track deletiojns using that. 

 [SNIP -- old slow machines]

	Ok. The problem here is that not every one wants the
 performance hit if the md5sum creation or storage, and even if we
 make that optional, the decision would be irrevocable. Again, if it
 is on the machine, then malicous crackers can crrupt the md5sum
 database too. Here follows a scheme that is scalable, and more
 secure, by pulling all security issues to the security of a public
 key, and we can concentrate on making that hard to break.

 a) A tree of md5sum files for packages is maintianed on the Archive,
    and replicated by the mirror array. The files are only removed
    after X years, X >=4. <package>-<version>-<arch>-files.md5sum
 b) These files are created at the point the package is installed into
    the Archive (dinstall).
 c) Also at the same time, we take a md5sum of the
    <package>-<versdion>-<arch>-files.md5sum file it self, and create,
    in a non replicated dir on Master, a one line index snippet file
    <package>-<versdion>-<arch>.md5sum 
 d) Once a day, after dinstall is done, the index snippet files are
    concatenated into a replicated Index.md5sum-current file.
 e) Once a week, the latest Index.md5sum-current file is moved to
    Index.md5sum file, and the is signed by a ``Official Debian
    Signing Key''. The signature is a detatched signature, and is
    never mirrored.
 f) The ``Official Debian Signing Key'' should be on a secure machine,
    and have signatures from at least 2 of three ``Official Debian
    Keys'', which are entrusted to different office holders appointed
    by the Leader, and these keys are never on a public machine.


	So how does it all work? When you say check <package>;  the
 script 

 1. gets the detatched signature from a known IP (possibly master). 
 2. Then, like apt, it down loads the Index file, and the
    package  md5sum file, from any mirror. 
 3. It checks the signature on the Index file
 4. It checks the md5sum of the <package>-<version>-<arch>-files.md5sum
    file.
 5. It checks the files mentioned in the latter with the local
    machine.

	The critical part is getting the  ``Official Debian Signing
 Key''  well enough replicated and into the web of trust that one
 knows that one has a known good value of the public key. Possibly,
 the public key should be on all mirrors, and CD's, and we publish the
 signature of the key all over, to lower the possibility of forgery.

 Charles> But those points have already been made....  The point I wanted to make
 Charles> is that storing the md5sum (or another checksum) of the file isn't
 Charles> enough.  We also need to store ownership (user and group), permissions,
 Charles> and, for symlinks, destination.  While we're at it, file size and last
 Charles> modification date would be good, too.  Arguably, the ownership and
 Charles> permissions of a file are easier to accidentally corrupt than its
 Charles> contents.


	Congratulations. You have just reinvented tripwire. more or less. 

	manoj
-- 
 It is easier for a camel to pass through the eye of a needle if it is
 lightly greased. Kehlog Albran, "The Profit"
Manoj Srivastava  <srivasta@acm.org> <http://www.datasync.com/%7Esrivasta/>
Key C7261095 fingerprint = CB D9 F4 12 68 07 E4 05  CC 2D 27 12 1D F5 E8 6E

Reply to:

Follow-Ups:
- Re: md5sums
  - From: James Troup <james@nocrew.org>
- Re: md5sums
  - From: Charles Briscoe-Smith <cpbs@debian.org>

References:
- Re: md5sums
  - From: Charles Briscoe-Smith <cpbs@debian.org>

Prev by Date: Re: Question about policy-change process
Next by Date: Bug#29770: Policy contradicts itself about /etc/aliases
Previous by thread: Re: md5sums
Next by thread: Re: md5sums
Index(es):
- Date
- Thread