[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Missing debsums and mismatches

Fredrik "Demonen" Vold wrote:
> ...
> I've just installed debsums and ran it to see if there were any oddness.
> Output of a silent run follows below the message.
> My question is:
> Should I be alarmed about so many packages not having md5sums?

Should you be alarmed?  Yes.  Is it unusual?  No.  In my experience of
running sarge, there are a lot of packages like this.

There is a mitigation against this: install debsums early!  It includes
this in /etc/apt/apt.conf.d/90debsums:
DPkg::Post-Invoke { "if [ -x /usr/bin/debsums ]; then /usr/bin/debsums
--generate=nocheck -sp /var/cache/apt/archives; fi"; };

This means that any packages you install subsequently will have their
debsums generated for them if they are missing.

> ...
> I'm sure all this is just paranoia, but maybe there should be a list
> of stuff that has no md5sum?

That would be an improvement from my perspective (i'm just a user of
Debian, not a developer).

> Maybe there is one, and I'm just ignorant to that fact?

Possibly - if you find out about one, please let me know!  :-)

> ...
> Could somebody please explain to me a situation where an MD5sum change
> is OK when I'm sure I haven't touched the file in question?

I haven't seen that happen on my systems (that i know of).

> ...
> And finally:  Shouldn't packages like 'make' and 'sed' have checksums generated?

Yes.  ;-)

> chkrootkit has nothing to report in quiet mode, but it has external
> dependancies (sed is one of them), so I'm not really trusting it right
> now.
> Ofcourse, it does find some dotdirs, and it seems chkrootkit is even
> more paranoid about dotdirs than I am ;-)

I found that as well, so i decided to run chkrootkit through a tool that
does a diff every night in cron.  I do this with a script i created
called tracker.  You can get it by putting
	deb http://apt.gear.dyndns.org/ binary/
in your /etc/apt/sources.list and running 'apt-get install tracker'.

I'd be interested in feedback on tracker if you try it.  Many of the
configuration files it uses are targeted at getting useful security
information without being overwhelmed.

Did you know?  Microsoft Internet Explorer and Outlook have a poor track
record for security <http://www.kb.cert.org/vuls/id/713878>.  Why not
try one of the more secure alternatives from <http://mozilla.org>?

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: