Re: md5sum proposal

To: debian-policy@lists.debian.org
Subject: Re: md5sum proposal
From: Manoj Srivastava <srivasta@debian.org>
Date: 18 May 1999 15:57:51 -0500
Message-id: <87btfiw0xc.fsf@glaurung.green-gryphon.com>
In-reply-to: Peter S Galbraith's message of "Tue, 18 May 1999 14:33:39 -0400"
References: <199905181833.OAA09865@mixing.qc.dfo.ca>

Hi,
>>"Peter" == Peter S Galbraith <GalbraithP@dfo-mpo.gc.ca> writes:

 Peter> Then why do we half do it already?

        I don't. I do not think anyone should. However, I am williong
  not to micromanage other developers.

 Peter> Is there another reason?  (I'm not talking `secure', I'm talking
 Peter> help for crash recovery).

        This is not a good tool. It does not cover config files, or
 /usr/local/, or my home directories. As a local sysadmin, I
 can't control what should be watched, and what should not.

 >> We all feel that you have a point, but we also see that you can't offer a
 >> high quality solution. If you can give us a free clone of tripwire or
 >> something like that, we can see what we can do to integrate it into the
 >> standard Debian distribution. As Manoj said, (I don't remember the correct
 >> words), a half baken solution can be worse then no solution at all.

 Peter> Isn't that what we have now?  I'd suggest we either have using
 Peter> md5sums files for _all_ packages, or remove them (over time) from
 Peter> packages that do use them.

        I second the latter half. I tried that before, but I did not
 have the energy to harangue others. 

 Peter> I personally think that
 Peter> (1) we already use them,

        No, *WE* don't. 

 Peter> (2) they don't hurt and

        Yes, they do. They seem to give some (admittedly naive) people
 the impression that they are a security tool. The resulting false
 sense of security is dangerous

 Peter> (3) they could help.

        And they prevent a better tool from being written. One can
 start with a script, that looks for  trees to watch, and reads in
 include and exclude files (regular expressions permitted), and
 maintains a db of files configured.

        One can build on this basic program until we have a real
 security tool. However, until we push for it, it won't be written.

 Peter> I don't see this as a half baked solution to helping crash
 Peter> recovery.

        Sorry. You are not looking ahrd enough, then.

 Peter> Our present state of half the packages using them _is_ half
 Peter> baked.

        The policy does not state we be including them. Some developer
 seem to be including them in -- their package, their choice what does
 go in. I agree it is kinda useless.

        manoj

-- 
 Do molecular biologists wear designer genes?
Manoj Srivastava   <srivasta@debian.org>  <http://www.debian.org/%7Esrivasta/>
Key C7261095 fingerprint = CB D9 F4 12 68 07 E4 05  CC 2D 27 12 1D F5 E8 6E

Reply to:

Follow-Ups:
- Re: md5sum proposal
  - From: Goswin Brederlow <goswin.brederlow@student.uni-tuebingen.de>

References:
- Re: md5sum proposal
  - From: Peter S Galbraith <GalbraithP@dfo-mpo.gc.ca>

Prev by Date: Re: md5sum proposal
Next by Date: Re: md5sum proposal
Previous by thread: Re: md5sum proposal
Next by thread: Re: md5sum proposal
Index(es):
- Date
- Thread