Re: md5sum proposal
Hi,
>>"Goswin" == Goswin Brederlow <goswin.brederlow@student.uni-tuebingen.de> writes:
Goswin> Anthony Towns <aj@azure.humbug.org.au> writes:
>> Taking an md5sum of the control.tgz and data.tgz components as a whole
>> and signing these would be somewhat more `secure' and certainly no
>> more difficult.
Goswin> Yep. Saying that xxx has no sum doesn't hold, since it could allways
Goswin> be include. :)
So we agree on package integrity: md5sum files are tno the
answer here.
>> > 3. After configuration new md5sums can be generated and signed (for
>> > security)
>>
>> This also has more complicated issues than just generating md5sums (find
>> | xargs will do that for you). In particular making sure your list of
>> md5sums isn't equally vulnerable as your main system is difficult. Signing
>> them in any useful way requires keeping your private key on removable
>> media, (or on a separate secured/firewalled/somethinged computer).
You mean you do not keep your private key on a removable media
on a non-networked computer? Why are you worrying about security at
all then?
>> Other options are keeping your md5sums on removable media, or
>> write-once media, like CD-R or printing them out in a manner
>> that's verifiable by hand [0].
>> For system recovery purposes, though -- and seeing what you have to
>> reinstall, or what you munged when you did a make install as root when
>> you shouldn't have, or whatever, .md5sums don't seem all that bad to me.
Goswin> Thats the main use for it, as I see it. But not only for recovery, but
Goswin> also for backup. You only need to backup files that have a different
Goswin> md5sum compared to the deb files on CD.
Why only .deb files? And the md5sums included in packages can
not accomodate conf files in /etc legitimately changed by the
sysadmin.
If this is the onl;y legitimate use of the sums files, why
bloat the packaging mechanism with them? Why not work on a program
that is flexible enough to look at any and all files on the system,
as directed by the user.
I figure we need a program that
a) Takes a list of dir tree roots to consider (so I can add
/usr/local/etc or /home/srivasta/Backups
b) Applies exclusion reg expressions to the files in the tree
c) Applies inclusion regexps (optionally) to the files excluded
d) Looks at targets of links
e) looks at uid and gid of files
f) looks at md5sums of files
g) creates its databse under a single dir, so it may be mounted on
removeable media (like a CD-RW or zip/jazz drive)
manoj
--
Griffin's Thought: When you starve with a tiger, the tiger starves
last.
Manoj Srivastava <srivasta@debian.org> <http://www.debian.org/%7Esrivasta/>
Key C7261095 fingerprint = CB D9 F4 12 68 07 E4 05 CC 2D 27 12 1D F5 E8 6E
Reply to: