[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: bad debsums in coreutils_5.0-1_i386.deb

Rick Pasotto <rick@niof.net> writes:

> Why are most of the md5sums in the /bin directory of
> coreutils_5.0-1_i386.deb incorrect? (chgrp, chmod, date, df, dir,
> echo, false, ln, ls, mkdir, mknod, mv, readlink, rm, rmdir, sleep,
> touch, true, uname, vdir)

FWIW, I have the same version of coreutils, and debsums seems
perfectly happy.

> Doesn't dpkg verify these during the install process?


[IIRC, the Big Issue with debsums is that it's not at all safe vs. a
malicious attacker; a Debian-specific rootkit would also modify md5sum
files when it replaced binaries.  There was discussion of this on
debian-devel quite a while ago.  There have been talks about better
ways to implement something that works, but I don't think there's a
widely used implementation of anything equivalent.  My personal
opinion is that debsums are quite useful in the case of hardware
failure, and that packages should have them for this case, but I
haven't been active at all in modifying policy.]

David Maze         dmaze@debian.org      http://people.debian.org/~dmaze/
"Theoretical politics is interesting.  Politicking should be illegal."
	-- Abra Mitchell

Reply to: