Re: Bug#132767: debsum support should be mandatory

To: Manoj Srivastava <srivasta@debian.org>
Cc: debian-policy@lists.debian.org
Subject: Re: Bug#132767: debsum support should be mandatory
From: Jason Gunthorpe <jgg@debian.org>
Date: Mon, 11 Feb 2002 18:33:05 -0700 (MST)
Message-id: <[🔎] Pine.LNX.3.96.1020211181022.2404A-100000@wakko.debian.net>
In-reply-to: <[🔎] 87k7tjpzbc.fsf@glaurung.green-gryphon.com>

On Mon, 11 Feb 2002, Manoj Srivastava wrote:

> 	Only if the machine _has_ remained true to a known
>  release. Unfortunately, a large class of machines are selectively
>  upgraded. My contention is that the granularity of a Pavckage is a

There are significant number of security wary people who just run stable
and do not follow unstable. They can derive benifit.

>  filelists, built into the package, offer iwder coverage than the
>  release file mechanism (are daily release files signed yet?)

They are.

> 	Look at the granularity of the package. If we have signed
>  filelists for each package, then we can indeed buildup the security
>  picture of the whole machine

How? You don't even know what the version number of a package is by
looking at the filelist. You cannot trust the status file, so you actually
have no idea what version is installed [see below for how to solve that
within the debsigs case].

>  Jason> The file can optionally be re-created and saved by dpkg on
>  Jason> extraction. It does not have to be in the .deb for dpkg to
>  Jason> write it to /var/lib/dpkg/info.
> 
> 	But then it can't be signed, and it can be mandled on the
>  machine, unless we go and store all the packages files and all the
>  corresponding release files.

Of course it can be signed. When using debsigs it will be signed using the
same technique as the global release sigs use. You sign the hash of the
filelist file and store that in the .deb. Anyone can compute the filelist
file from a .deb - so anyone can compute its SHA-1. 

When using debsigs what you need to sign for maximum benfit is a single
file that contains the entire contents of 'control' (most critically the
package name and verision number), the SHA-1 of the control/data.tar.gz
and the SHA-1 of the file list. You store this w/ all sigs on extraction.

When using signed releases you sign the Release file which hashes the
Package file which hashes .deb and the filelist.

Recovery would involve ensuring that the status file and the signed
'control' data match, that the filelist on disk matches and that the
contents of the file list matches the disk. 

Jason

Reply to:

References:
- Re: Bug#132767: debsum support should be mandatory
  - From: Manoj Srivastava <srivasta@debian.org>

Prev by Date: Bug#132621: debian-policy: /etc/init.d _must_ be conffiles (not should)
Next by Date: Bug#133808: proposal for a License: tag in packages
Previous by thread: Re: Bug#132767: debsum support should be mandatory
Next by thread: Re: Bug#132767: debsum support should be mandatory
Index(es):
- Date
- Thread