On 2008-10-27 08:24 +0100, David Baron wrote:
The newest debsums from Sid can do a daily check for md5 disagreement. Useful
for security?
Not really. An attacker that can modify system files can and will also
update the md5sums under /var/lib/dpkg/info. Besides, scanning each and
every installed file takes _really_ long, so it is not recommended to
run this daily.
This check flags a load of missing files which are either obsolete -- maybe I
once had 'em but they are long gone -- or ... I never had 'em.
Two prime examples:
The former, Sun Java 1.5 stuff. Has been superseded by 1.6 and this was always
be Sun's installation rather than anything from Debian. The latter
/usr/loca/Adobe . . . acrobat stuff. I never had a local version. Most entries
seem to be internationalization stuff.
Do you have localepurge installed? It will delete many l10n files that
debsums will report then.
There is a (now empty) /etc/debsums-ignore. If this can be set to exclude
directories, I can easily suppress the check on these files.
That's not how it works, unfortunately. These files will still be
checked, only the final output is filtered. Have a look at debsums'
cron script to convince yourself if you don't trust me.
Question is where
the program gets the info to look for them in the first place?
From the *.md5sums files under /var/lib/dpkg/info.
Sven