Re: packages without .md5sums file?

To: debian-policy@lists.debian.org
Subject: Re: packages without .md5sums file?
From: Manoj Srivastava <srivasta@debian.org>
Date: Sat, 28 Jul 2001 18:50:56 -0500
Message-id: <87n15ofw9r.fsf@glaurung.green-gryphon.com>
In-reply-to: <20010728011156.A105@212.23.136.22> (Marcus Brinkmann's message of "Sat, 28 Jul 2001 01:11:56 +0200")
References: <200107271053.f6RArHlc024626@dizzy.dz.net> <20010727130737.D30465@wiggy.net> <20010727204929.F702@212.23.136.22> <20010727210955.B2998@wiggy.net> <20010728011156.A105@212.23.136.22>

>>"Marcus" == Marcus Brinkmann <Marcus.Brinkmann@ruhr-uni-bochum.de> writes:

 Marcus> I think that the checksums should be in the package, and
 Marcus> burned on CDs along with the package, so you can verify them
 Marcus> more easily.

	If the package is signed, or if there is a Packages file on
 the CD with md5sum of the package in it, you do not need an
 additional list of explicit md5sums of each and every file in the
 package. No additional security is gained from that. 

	Additionally, conffiles are not taken into consideration by
 these schemes to store checksums on the CD. Tripwire and friends do
 take carte of that, but they have their own problems. 

 Marcus> Creating them by an untrusted system, and
 Marcus> storing them on writable media (even temporarily) is a
 Marcus> process which is difficult to harden.

	Strawman. If do not trust the system where you check the
 md5sums, you can say nothing about the results. If you have a trusted
 system to do the checking, you can start with a trusted set of .debs
 and check for modified files.

	You are making the argument that the current system leaves you
 no way to verify files on your box; and really, that is not
 true. The trade offs involved here are between size of .debs vs
 processing in the (rare) occurrence of a integrity check; and not all
 of us agree that the rare computational penalty is too bad a rice to
 pay in return for the more common saving of space and bandwidth.

	However, I could be swayed from my position were I shown hard
 numbers that demonstrate otherwise -- performance penalties in
 starting from a verified .deb  vs the space consumption of md5sums

	manoj
-- 
 I'm So Miserable Without You It's Almost Like Having You Here Song
 title by Stephen Bishop.  She Got the Gold Mine, I Got the Shaft Song
 title by Jerry Reed.  When My Love Comes Back from the Ladies' Room
 Will I Be Too Old to Care? Song title by Lewis Grizzard.  I Don't
 Know Whether to Kill Myself or Go Bowling Unattributed song title.
 Drop Kick Me, Jesus, Through the Goal Posts of Life Unattributed song
 title.
Manoj Srivastava   <srivasta@debian.org>  <http://www.debian.org/%7Esrivasta/>
1024R/C7261095 print CB D9 F4 12 68 07 E4 05  CC 2D 27 12 1D F5 E8 6E
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C

Reply to:

References:
- packages without .md5sums file?
  - From: Massimo Dal Zotto <dz@cs.unitn.it>
- Re: packages without .md5sums file?
  - From: Wichert Akkerman <wichert@wiggy.net>
- Re: packages without .md5sums file?
  - From: Marcus Brinkmann <Marcus.Brinkmann@ruhr-uni-bochum.de>
- Re: packages without .md5sums file?
  - From: Wichert Akkerman <wichert@wiggy.net>
- Re: packages without .md5sums file?
  - From: Marcus Brinkmann <Marcus.Brinkmann@ruhr-uni-bochum.de>

Prev by Date: Bug#100346: seconding this proposal
Next by Date: Re: packages without .md5sums file?
Previous by thread: Re: packages without .md5sums file?
Next by thread: Re: packages without .md5sums file?
Index(es):
- Date
- Thread