Re: Can I check packages integrity with debsums on sums check failed DVDs?

To: debian-user@lists.debian.org
Subject: Re: Can I check packages integrity with debsums on sums check failed DVDs?
From: "Boyd Stephen Smith Jr." <bss@iguanasuicide.net>
Date: Thu, 16 Jul 2009 12:58:08 -0500
Message-id: <[🔎] 200907161258.14503.bss@iguanasuicide.net>
In-reply-to: <[🔎] 4a5f5d95.06e2660a.6fbc.4d1b@mx.google.com>
References: <[🔎] 4a5cba7b.25c0100a.48c5.567f@mx.google.com> <[🔎] 4A5CDF14.6090501@physik.blm.tu-muenchen.de> <[🔎] 4a5f5d95.06e2660a.6fbc.4d1b@mx.google.com>

In <[🔎] 4a5f5d95.06e2660a.6fbc.4d1b@mx.google.com>, Sthu Deus wrote:
>Thank You for Your time and answer, Johannes:
>> > How I can find out from whence the file has come?
>>
>> Probably not at all. Your files will have the same md5sums no matter
>> from where you've got the package (ie. it does not matter, if the
>> package is from your DVD someone else's dvd or from some server over the
>> internet, as long as the integrity of the files is ok (ie. md5sums).
>>
>> To verify you could try 'debsums ace-of-penguins'
>
>Actually, all I wanted here was to find out from which package come the
> md5sums for each package - to understand how the check process works.

A package maintainer can include a debsums file in the package.

When you install the debsums package it sets up an apt hook to generate a 
.debsums file when a package is installed and doesn't already have one.

>I want to know, if I can check the integrity of a downloaded package
> through FTP and not apt-get. - For if a check sum comes w/ the package -
> then I can not trust it.

Depends on how you got the package.  There is a "chain of trust" between 
your apt keyring and the package contents.  The Release and Packages files 
have detached signatures, which APT verifies to ensure they are trusted and 
not corrupt.  The Packages file contains multiple hashes for each .deb 
package, which APT verifies to ensure they are trusted and not corrupt.  The 
.deb package might contain a .debsums file.  If not .debsums can be 
generated locally.

So, *just after package installation* you can trust the .debsums.  They are 
either from a trusted source or are generated locally (generally also a 
trusted source).

The problem arises that the .debsums files are stored on the same (generally 
mutable) media that the package files are stored on.  If an attacker 
modifies package files they can also modify the .debsums to match their 
modifications.  Debsums is not meant to catch attackers, but to detect 
random corruption.
-- 
Boyd Stephen Smith Jr.           	 ,= ,-_-. =.
bss@iguanasuicide.net            	((_/)o o(\_))
ICQ: 514984 YM/AIM: DaTwinkDaddy 	 `-'(. .)`-'
http://iguanasuicide.net/        	     \_/

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to:

References:
- Can I check packages integrity with debsums on sums chech failed DVDs?
  - From: Sthu Deus <sthu.deus@gmail.com>
- Re: Can I check packages integrity with debsums on sums chech failed DVDs?
  - From: Johannes Wiedersich <johannes@physik.blm.tu-muenchen.de>
- Re: Can I check packages integrity with debsums on sums check failed DVDs?
  - From: Sthu Deus <sthu.deus@gmail.com>

Prev by Date: RE: a tool that can recover partially formatted ext3 FS.
Next by Date: How to get framebuffer device working with ATI radeon?
Previous by thread: Re: Can I check packages integrity with debsums on sums check failed DVDs?
Next by thread: How to unmark packages
Index(es):
- Date
- Thread