Re: RFE: Could crc32 be included in the debian live/installation disk?
On 10/8/19, Reco <recoverym4n@enotuniq.net> wrote:
> On Tue, Oct 08, 2019 at 04:34:17PM +0200, Albretch Mueller wrote:
>> >> this is a hash algorithm that is implemented of the chips anyway, it
>> >> is the fastest of them all, used by synch (is it?) and it is crucially
>> >> helpful when data integrity is very important.
>>
>> >And it's also one of those broken checksum algorithms which makes it
>> >easy to replace a part of file while keeping a checksum intact.
>>
>> Well, I wasn't claiming CRC32 was fail-safe, what I actually meant is
>> that data integrity would be based on:
>>
>> a) two -fast- and "reasonably" safe signature utilities which are
>> based on -different algorithms-
>
> CRC32 fails here. Key is "reasonably" safe.
> If you'd propose MD5 and SHA256 (Debian does it for the every package in
> repostory) - that would be considered OK.
OK, great! MD5 and SHA256 would it then be. They don't even need to
be computed, so, right after installation Debian should:
1) give users the option to keep a first baseline, including the
hardware on which the installation was made, saved into files which
would be tar'ed and compressed in a well-defined, standard way;
2) whenever users feel like checking their device, the same DVD live
used for the initial installation could be used to check the current
"moment" of the OS and check the difference with previous diff deltas;
3) if differences are detected where and if they matter (not just a
new file), but, say inside a critical directory or file (all those
should be declaratively set), a hexviewer would be launched showing
the differences between the two files. Probably, that could be
implemented out of the box with IDS what I am pushing for is making it
an integral and optional part of Debian installation
>> >> Does Debian internally have the kind of check pointing that Windows
>> >> does with which you could revert the state of an OS to a operating
>> >> "moment" you can manage?
>
>> >Sure. And it's called "off-host backup", a concept which predates both
>> >Linux and Windoze. As you helpfully mention below, "you do not own your
>> >computer", so "in-host" checkpoints are untrusted by your very own
>> >definition.
>>
>> I think you are twisting a bit my point here in a confusing way.
>
> Nope. If you need an immutable OS state (be it a backup, a snapshot or
> whatever), you do not store it on the same host. If you do not trust the
> OS (or the hardware), there's no reason to trust a snapshot of its state.
I meant you would keep that file in a pen drive you never connect to
the Internet adn that baselining utility should be part of the Debian
installation DVDs.
>> >> the reason why I push for the crc32 algo is because instead of using
>> >> sha?sums which are much slower, I would rely on both crc32 and md5sum,
>> >> when I have to baselines the 200+K files included in the base install
>> >> that comes with the installation disk.
>>
>> >A noble if misguided effort. Surely you're aware that Debian project
>> >provides both install media and LiveDVDs along with checksums of them?
>> >They did this job for you already.
>>
>> Yes, but where is the GUI based data integrity check?
>
> Never felt the need for one.
> I fail to see what's so hard in running:
>
> md5sum -c <checksumfile>
> sha256sum -c <checksumfile>
>
> But maybe some other list participant can help you here.
I never said it was hard I am talking about running such utilities on
hundreds of thousands of files, but you clarified to me this is not
even necessary, since such sums are included in the deb file.
By the way, if you were to recommend the best/most exhaustive and
reproducible documentation about how Debian's packaging system works,
that would be? Also, the mindset/"philosophy" behind it. Maybe I could
find the time to do a more elaborate "proof of concept" and submit it
for your consideration or heck even start yet another Debian knock
off.
>> >> Nowadays you can safely assume that you do not own your computer
>>
>> > And refraining from using certain processor architectures and non-free
>> > operating systems ...
>>
>> Your joke is beside my point
>
> I'm dead serious. If you're using x86 newer than Pentium the First,
> consider yourself pwned, because you do not control the hardware, they
> do. The only question is whenever it's a good, democratic US control, or
> totalitarian Chinese one.
Did you just say: "The only question is whenever it's a 'good,
democratic US control', or totalitarian Chinese one."?
That was some side sarcasm to keep the conversation a bit livelier,
amusing, right?!?
I don't know what you know about the U.S. or the Chinese, "good,
democratic" or "un-Amerikan" governments. I can tell you that I grew
up in an open police state (adorably crazy Cuba), went to school
during stasi times in East Germany and I visited both Soviet Russia
and (later, Deng Xiaoping) China. So, I can claim to definitely know
more than two things about "bad, undemocratic" ("un-Amerikan")
governments. I also lived for 24 years 5 months and 22 days in "'the'
land of 'the' free and 'the' 'brave'" ... (or, until they ran me out,
did my best at trying to live there and yes after so many years you do
find your niche).
I love how they succinctly say in the Bronx (NYC): "people is stupid
because people is stupid". I came to the U.S. as "an old dog", but I
did learn a few "tricks"/things there, one of them being that living
under the rule of a (supposedly and very much so!) "good, democratic"
government, doesn't make for "better" people or governments. Just to
check your functional illusions (most gringos are "worked" to think
and talk like this):
a) "'the' land of 'the' free and 'the' 'brave'" ... has the highest
incarceration rate ever (I even think, in the history of mankind)
b) the perp ratio (people serving as snitches, gang stalkers and
perpetrators to the general population they call them "social
responsibility committees", "infraguards", "nexus networks",
"patriots", ...) is the highest ever as well (the perp ratio in stasi
time East Germany was higher than with the Nazis. In the U.S. it is
even higher)
c) in the latest "freedom loving" wars spearheaded by the U.S. and
the British governments they managed to eight time (8x) the genocidal
ratio of Nazi Germany during WWII ("patriots" and "warriors" should be
able to do 3rd grade Math)
But the most amazing thing I learned in the U.S. is that lies are not
just tools but -industries- and how easy it is to manipulate people,
making them believe, quite literally, whatever. I had always thought
that in order to be effective at systematically lying to people you
must run a dictatorship. I learned in the U.S. how wrong I was. The
main job of the U.S. media is making fun of other "un-Amerikan" (some
of them even "pro Russian") people (from Russia, China, Venezuela,
Cuban, Muslim countries ...), but, after the Snowden revelation, when
they realized that their government kept tabs on virtually all they do
(they keep a data Doppelgänger of every single member of society) way
beyond the wildest sweat dreams of all those "un-Amerikan" stasi and
KGB folks, people in the U.S. just went like: "Oh, well! Isn't it
about 'metadata'" (a word they had never heard before and which
meaning they didn’t even know) ... and "that was all there was to it!"
I also found interesting how prominent U.S computer people such as
Bruce Schneier and Berners-Lee were (as they amusingly said) "shocked"
about the NSA revelations. How on eartch could those two be 'shocked'
about any of it?!?!? I took the time to read Schneier's book: "Data
and Goliath" on which he "suggests" to "We the people to 'collaborate'
with the government" ..., ready?, "as a way to avoid surveillance" and
he was also relating how she pays for his shoko bars with cash so "the
government doesn't keep a trail of his habits" (I am not kidding you
gringos are that spineless!) ... as just a comparison to what goes on
in "un-Amerikan" countries, Anthropologist were odd stroke and very
doubtful when they heard that in Cuba "We the people" (it all started,
emerged with a bunch of kids connecting their computers wirelessly to
game one another) had done on their own an under a dictatorship,
closed-up version "the Internet" (with facebook, craigslist, ... and
all that cr@p). The government was overwhelmed after getting tired of
chasing them around putting people in prison. They were forced to
accept "reality" as defined by the people.
// __ Inside Cuba’s D.I.Y. Internet Revolution
https://www.wired.com/2017/07/inside-cubas-diy-internet-revolution/
~
another "interesting" aspect of those "un-Amerikan" developments is
that "We the people" in Cuba did not only show the finger to the
government, but they didn't bite into the CIAs bait to try to play
them into another "Spring revolution" in Cuba.
I would just say, let's keep our conversation "technical", "computer related".
>> >> I would like to remove all cookies
>>
>> >Why accept them in the first place then?
>>
>> because "cookies" have been turned into an all encompassing black
>> mail and tracking mechanism,
>
> Spare me the usual scarytales, please. Whichever browser you're using
> should allow you to set a whitelist policy on cookies (as opposed do
> brain-dead blacklist policy by default).
> It may break some authentication, sure, so whitelist domains until it
> ain't.
Here you are just talking about cookies way more pernicious is
javascript. Managing javascript code without pages containing them
manifestly offering a "flight letter" (kind of the way java web start
does it with their manifests) would take away your life
>> so if you don't accept them they will not show you pages,
>
> And if a site implements such policy it's not worth your time.
they would have already made you waste time while mining their cr@p
>> let you get to your email account, ...
>
> LOL. Why exactly should I deny myself the access to my own e-mail on my
> server? Also, both SMTP and IMAP do not use cookies last time I've
> checked.
I was talking about my gmail account and yes I should have my own
email server, but you are kidding yourself if you think that to be a
fail safe "solution"
>> I hate JS for more than one good reason, they slow your Internet
>> experience, dump of all kinds of commercial cr@p on you,
>
> ... But you do not disable it because?
I do, but there is not a way to disable its functionality in a
detailed way, that is why I was talking about a Nashorn based proxy.
Using the utilities included in browsers is accepting the rules adn
ways of your enemies.
lbrtchx
Reply to: