Re: bad debsums in coreutils_5.0-1_i386.deb

To: debian-user@lists.debian.org
Subject: Re: bad debsums in coreutils_5.0-1_i386.deb
From: David Z Maze <dmaze@debian.org>
Date: Fri, 02 May 2003 12:00:38 -0400
Message-id: <[🔎] 87ptn1wd7d.fsf@cag.lcs.mit.edu>
In-reply-to: <[🔎] 20030502123543.GB2082@tc.telocity.com> (Rick Pasotto's message of "Fri, 2 May 2003 08:35:43 -0400")
References: <[🔎] 20030502123543.GB2082@tc.telocity.com>

Rick Pasotto <rick@niof.net> writes:

> Why are most of the md5sums in the /bin directory of
> coreutils_5.0-1_i386.deb incorrect? (chgrp, chmod, date, df, dir,
> echo, false, ln, ls, mkdir, mknod, mv, readlink, rm, rmdir, sleep,
> touch, true, uname, vdir)

FWIW, I have the same version of coreutils, and debsums seems
perfectly happy.

> Doesn't dpkg verify these during the install process?

No.

[IIRC, the Big Issue with debsums is that it's not at all safe vs. a
malicious attacker; a Debian-specific rootkit would also modify md5sum
files when it replaced binaries.  There was discussion of this on
debian-devel quite a while ago.  There have been talks about better
ways to implement something that works, but I don't think there's a
widely used implementation of anything equivalent.  My personal
opinion is that debsums are quite useful in the case of hardware
failure, and that packages should have them for this case, but I
haven't been active at all in modifying policy.]

-- 
David Maze         dmaze@debian.org      http://people.debian.org/~dmaze/
"Theoretical politics is interesting.  Politicking should be illegal."
	-- Abra Mitchell

Reply to:

References:
- bad debsums in coreutils_5.0-1_i386.deb
  - From: Rick Pasotto <rick@niof.net>

Prev by Date: Re: Mutt now
Next by Date: Re: what is this error message?
Previous by thread: Re: bad debsums in coreutils_5.0-1_i386.deb
Next by thread: SSH X11 forwarding still?
Index(es):
- Date
- Thread