Re: Bug#132767: debsum support should be mandatory

To: debian-policy@lists.debian.org
Subject: Re: Bug#132767: debsum support should be mandatory
From: Manoj Srivastava <srivasta@debian.org>
Date: Thu, 07 Feb 2002 23:30:46 -0600
Message-id: <[🔎] 87pu3g8rqx.fsf@glaurung.green-gryphon.com>
In-reply-to: <[🔎] 20020207161310.D20741@parcelfarce.linux.theplanet.co.uk> (Matthew Wilcox's message of "Thu, 7 Feb 2002 16:13:10 +0000")
References: <[🔎] 20020207161310.D20741@parcelfarce.linux.theplanet.co.uk>

>>"Matthew" == Matthew Wilcox <willy@debian.org> writes:

 Matthew> All rpm-based systems support rpm --verify.  Having debsums
 Matthew> support optional makes debian an inferior distribution in
 Matthew> this aspect.  Making DEBIAN/md5sums required rather than
 Matthew> optional would rectify this situation.

	In order to verify that the system is not compromised, at the
 very least you need to have the hash file cryptographically
 signed. Without that, when I hack your machine, I'll simply hack your
 hash file as well.

	debsums do not provide any protection against corruption of
 conffiles.

	Secondly, this should be built into dpkg itself, and not in
 zillions of scripts; and dpkg creates a md5sum file at .deb creation
 time (whether it goes into data.tar.gz or it is a separate component
 of the ar file (I prefer the latter, since it ie easier to implement
 delayed signing) needs to be decided. Creating conffile checksums and
 signing them can still be done after the postinst has been run by
 dpkg itself.

	Having the hashes generated at package build time is
 marginally better than having the hashes generated at install time
 (and singed by the installer), since one may not be sure of the
 md5sum on the installed machine (Say, I can hack md5sum to return the
 expected rahter than the correct value, so that if the md5sum = X,
 then actually return md5sum Y, which matches the database value).

	Signing the hash file, and having a means of verifying the
 signature (interesting problem in itself, given that there are 900+
 developers and counting). Indeed, perhaps we can add another member
 to the ar, which is a detached sig of the hash file in the deb
 created by dinstall after veryfying the  developers sig during
 dinstall runs.

	A poorly designed cryptographic solution is worse than not
 having one, since the latter does not give one a false sense of
 security.

	If security is not the issue you are worried about, then
 tripwire, or similar tools can help you not only create hash tables
 for the files in the package, but the conffiles as well.

	manoj
-- 
 We'll cross that bridge when we come back to it later.
Manoj Srivastava   <srivasta@debian.org>  <http://www.debian.org/%7Esrivasta/>
1024R/C7261095 print CB D9 F4 12 68 07 E4 05  CC 2D 27 12 1D F5 E8 6E
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C

Reply to:

Follow-Ups:
- Re: Bug#132767: debsum support should be mandatory
  - From: Joey Hess <joeyh@debian.org>

References:
- Bug#132767: debsum support should be mandatory
  - From: Matthew Wilcox <willy@debian.org>

Prev by Date: Re: Bug#132621: debian-policy: /etc/init.d _must_ be conffiles (not should)
Next by Date: Re: Bug#132767: debsum support should be mandatory
Previous by thread: Re: Bug#132767: debsum support should be mandatory
Next by thread: Re: Bug#132767: debsum support should be mandatory
Index(es):
- Date
- Thread