Re: md5sums in security advisories
Michael Stone wrote:
> On Tue, Apr 24, 2001 at 08:30:38PM +0200, Josip Rodin wrote:
> > Joey requested that MD5 checksums are put in security advisories on the web
> > pages, so I've added them, in a kludgey kinda way. Should we add a
>
> nonononono! We *already* have the md5's available in a web-accessible
> form in the mailing list archives. Having them on the wml pages is a Bad
There is no connection between the security web pages and the list
archives so this argument is somewhat bogus.
> Thing. There is no associated signature to validate that the md5's
> haven't been tampered with. It is likely that anyone who could modify
The very same applies to the the list archives web pages as well,
sorry.
> the binaries on pandora could *also* modify the web pages. Adding md5's
...and also modify the list archives web pages...
> to the web pages is a dangerously misleading false sense of security.
Then we should not distribute any MD5 sums in public archives.
I'd rather like to see a note on the security pages like:
Please note that we cannot guarantee that an intruder gets access to
our servers since they are connected to the internet. In such a
case an evil third party could potential modify uploads to
security.debian.org and modify web pages containing MD5 sums. We
are, however, trying our best to prohibit this. Please be advised
that there is no 100% security, only improvements to the current
situation.
Joy should rephrase it probably. :)
> Anyone who wants this information for the purpose of validating a
> security upload *must* use the pgp-signed version *already available.*
Ah, that's the bug, I forgot about the gpg signature in the lists
archive. Point taken.
What about adding links to the relevant mails in the lists archive and
a note to check the MD5sum etc.
Regards,
Joey
--
We all know Linux is great... it does infinite loops in 5 seconds.
- Linus Torvalds
Please always Cc to me when replying to me on the lists.
Reply to: