Re: md5sum proposal

To: debian-policy@lists.debian.org
Subject: Re: md5sum proposal
From: Manoj Srivastava <srivasta@debian.org>
Date: 18 May 1999 15:45:53 -0500
Message-id: <87hfpaw1ha.fsf@glaurung.green-gryphon.com>
In-reply-to: Piotr Roszatycki's message of "Tue, 18 May 1999 17:23:20 +0200 (CEST)"
References: <Pine.LNX.4.10.9905181707410.26004-100000@cyan.fnet.pl>

Hi,
>>"Piotr" == Piotr Roszatycki <dexter@fnet.pl> writes:

 >> a) It really provides no security.
 Piotr> It is not for *this* security reason (crackers, hackers and
 Piotr> others) 

        Good. So on this we agree.


 >> b) It would bloat the packaging system, when it does not really solve
 >> the problem
 Piotr> Good policy could help.

        umm? Good policy would be to exclude this from dpkg, is that
 what you mean? 

 >> c) It does not address the config files, which are quite as critical
 >> -- more critical, in fact, than other files, because other files
 >> can be foxed by reistalling the packages from a known good
 >> archive/CD 
 Piotr> Config files could be excluded from md5sums.
        
        Then it is a flawed, incomplete, solution. I would sure as
 hell want to know when my config files are modified -- espescially on
 public machines with lots of users. 

        Any solution should also be able to protect my /usr/local area
 -- and, optionally, bits and pieces in /home/

 >> d) There are standalone solutions that do a good job -- though we may
 >> need to work on free replacements. 
 Piotr> You mean free solutions?

        Yes, we need to work on free replacements. However, a script
 using md5sums takes 5 minutes to write, and only a couple of hours to
 turn

 Piotr> A few weeks ago I had a system crash. I had to check which
 Piotr> packages was broken. I had to do this _quickly_ and _easly_.
 Piotr> I lost a lot of time because I had to do it manually - a lot
 Piotr> of packages didn't have md5sums check file.

        Your problem. I have a tripwire file on CD-RW media --
 computed weekly. Bad sysadmin processes are no reason to further
 bloat dpkg. 

        Use the right tool for the job.

 Piotr> md5sums doesn't repend of dpkg. It is possible to use "3rd party" tool
 Piotr> like debsums.

        Go ahead. On your machine. I think this belongs in user
 land. Not in packages. Let each user decide whether or not to use the
 debsums method.

        manoj
-- 
 Rarely do people communicate; they just take turns talking.
Manoj Srivastava   <srivasta@debian.org>  <http://www.debian.org/%7Esrivasta/>
Key C7261095 fingerprint = CB D9 F4 12 68 07 E4 05  CC 2D 27 12 1D F5 E8 6E

Reply to:

References:
- Re: md5sum proposal
  - From: Piotr Roszatycki <dexter@fnet.pl>

Prev by Date: Re: md5sum proposal
Next by Date: Re: md5sum proposal
Previous by thread: md5ums: Why tripwire etc is no solution
Next by thread: Re: md5sum proposal
Index(es):
- Date
- Thread