Re: Bug#132767: debsum support should be mandatory
>>"Matthew" == Matthew Wilcox <willy@debian.org> writes:
Matthew> All rpm-based systems support rpm --verify. Having debsums
Matthew> support optional makes debian an inferior distribution in
Matthew> this aspect. Making DEBIAN/md5sums required rather than
Matthew> optional would rectify this situation.
In order to verify that the system is not compromised, at the
very least you need to have the hash file cryptographically
signed. Without that, when I hack your machine, I'll simply hack your
hash file as well.
debsums do not provide any protection against corruption of
conffiles.
Secondly, this should be built into dpkg itself, and not in
zillions of scripts; and dpkg creates a md5sum file at .deb creation
time (whether it goes into data.tar.gz or it is a separate component
of the ar file (I prefer the latter, since it ie easier to implement
delayed signing) needs to be decided. Creating conffile checksums and
signing them can still be done after the postinst has been run by
dpkg itself.
Having the hashes generated at package build time is
marginally better than having the hashes generated at install time
(and singed by the installer), since one may not be sure of the
md5sum on the installed machine (Say, I can hack md5sum to return the
expected rahter than the correct value, so that if the md5sum = X,
then actually return md5sum Y, which matches the database value).
Signing the hash file, and having a means of verifying the
signature (interesting problem in itself, given that there are 900+
developers and counting). Indeed, perhaps we can add another member
to the ar, which is a detached sig of the hash file in the deb
created by dinstall after veryfying the developers sig during
dinstall runs.
A poorly designed cryptographic solution is worse than not
having one, since the latter does not give one a false sense of
security.
If security is not the issue you are worried about, then
tripwire, or similar tools can help you not only create hash tables
for the files in the package, but the conffiles as well.
manoj
--
We'll cross that bridge when we come back to it later.
Manoj Srivastava <srivasta@debian.org> <http://www.debian.org/%7Esrivasta/>
1024R/C7261095 print CB D9 F4 12 68 07 E4 05 CC 2D 27 12 1D F5 E8 6E
1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C
Reply to: