Re: RFE: Could crc32 be included in the debian live/installation disk?
Albretch Mueller wrote:
> On 10/8/19, Reco <email@example.com> wrote:
> > On Tue, Oct 08, 2019 at 04:34:17PM +0200, Albretch Mueller wrote:
> >> >> this is a hash algorithm that is implemented of the chips anyway, it
> >> >> is the fastest of them all, used by synch (is it?) and it is crucially
> >> >> helpful when data integrity is very important.
> >> >And it's also one of those broken checksum algorithms which makes it
> >> >easy to replace a part of file while keeping a checksum intact.
> >> Well, I wasn't claiming CRC32 was fail-safe, what I actually meant is
> >> that data integrity would be based on:
> >> a) two -fast- and "reasonably" safe signature utilities which are
> >> based on -different algorithms-
> > CRC32 fails here. Key is "reasonably" safe.
> > If you'd propose MD5 and SHA256 (Debian does it for the every package in
> > repostory) - that would be considered OK.
> OK, great! MD5 and SHA256 would it then be. They don't even need to
> be computed, so, right after installation Debian should:
> 1) give users the option to keep a first baseline, including the
> hardware on which the installation was made, saved into files which
> would be tar'ed and compressed in a well-defined, standard way;
Install AIDE. It's packaged.
AIDE (Advanced Intrusion Detection Environment, [eyd]) is a file
and directory integrity checker.
What does it do?
It creates a database from the regular expression rules that it
finds from the config file(s). Once this database is initialized
it can be used to verify the integrity of the files. It has
several message digest algorithms (see below) that are used to
check the integrity of the file. All of the usual file
attributes can also be checked for inconsistencies. It can read
databases from older or newer versions. See the manual pages
within the distribution for further info.
supported message digest algorithms: md5, sha1, rmd160,
tiger, crc32, sha256, sha512, whirlpool (additionally with
libmhash: gost, haval, crc32b)
supported file attributes: File type, Permissions, Inode,
Uid, Gid, Link name, Size, Block count, Number of links, Mtime,
Ctime and Atime
support for Posix ACL, SELinux, XAttrs and Extended file
system attributes if support is compiled in
plain text configuration files and database for simplicity
powerful regular expression support to selectively include
or exclude files and directories to be monitored
gzip database compression if zlib support is compiled in
stand alone static binary for easy client/server monitoring
and many more
> I meant you would keep that file in a pen drive you never connect to
> the Internet adn that baselining utility should be part of the Debian
> installation DVDs.
AIDE does this.
> >> Yes, but where is the GUI based data integrity check?
> By the way, if you were to recommend the best/most exhaustive and
> reproducible documentation about how Debian's packaging system works,
> that would be? Also, the mindset/"philosophy" behind it. Maybe I could
> find the time to do a more elaborate "proof of concept" and submit it
> for your consideration or heck even start yet another Debian knock