Re: md5sum proposal

To: debian-policy@lists.debian.org
Subject: Re: md5sum proposal
From: Manoj Srivastava <srivasta@debian.org>
Date: 18 May 1999 10:02:31 -0500
Message-id: <87yaimwhdk.fsf@glaurung.green-gryphon.com>
In-reply-to: Christoph Lameter's message of "Mon, 17 May 1999 21:11:56 -0700 (PDT)"
References: <Pine.LNX.4.10.9905172104180.4926-100000@cyrix200.lameter.com>

Hi,
>>"Christoph" == Christoph Lameter <christoph@lameter.com> writes:

 Christoph> We have tried to get dpkg to do md5sums since over 3 years
 Christoph> now.

        We? The policy group has in the past rejected this proposal
 (it did come up for inclusion in policy a while ago).

 Christoph> Given the inertia of the product we have no choice
 Christoph> but to continue using what we have. I introduced md5sums
 Christoph> only after it became clear that dpkg was an essentially
 Christoph> deadbeat package and there was persistent demand for such
 Christoph> a feature. Please get dpkg to do md5sums (keep the
 Christoph> dream.. err fantasy alive) but until that time we need to
 Christoph> keep using md5sums the way they are today.

        I have a different memory of events. This proposal was brought
        up on this list, and was shot down because
 a) It really provides no security.
 b) It would bloat the packaging system, when it does not really solve
    the problem
 c) It does not address the config files, which are quite as critical
    -- more critical, in fact, than other files, because other files
       can be foxed by reistalling the packages from a known good
       archive/CD 
 d) There are standalone solutions that do a good job -- though we may
    need to work on free replacements. 
 
        You may continue to prefer to believe (incorrectly, IMHO),
 that it is the inertia of dpkg rather than technical flaws that have
 kept the md5sums out of policy, but I beg to differ.

 Christoph> It is useful and has helped me and others figure out
 Christoph> corrupted files in a variety of situations. We are
 Christoph> rearguing what has been argued 3 times over
 Christoph> before... Situation has not changed so why bother
 Christoph> repeating ourselves?

        Precisely. You have yet to come up with anything that adresses
 the technical shortcomings of the md5sum proposal. I, for one, use
 tripwire. I would much prefer to use a free solution, but I do not
 have time to write a secure replacement.

        manoj

-- 
 The very ink with which all history is written is merely fluid
 prejudice. Mark Twain
Manoj Srivastava   <srivasta@debian.org>  <http://www.debian.org/%7Esrivasta/>
Key C7261095 fingerprint = CB D9 F4 12 68 07 E4 05  CC 2D 27 12 1D F5 E8 6E

Reply to:

Follow-Ups:
- Re: md5sum proposal
  - From: Piotr Roszatycki <dexter@fnet.pl>
- Re: md5sum proposal
  - From: Christoph Lameter <christoph@lameter.com>

References:
- Re: md5sum proposal
  - From: Christoph Lameter <christoph@lameter.com>

Prev by Date: Re: logrotation
Next by Date: Re: logrotation
Previous by thread: Re: md5sum proposal
Next by thread: Re: md5sum proposal
Index(es):
- Date
- Thread