-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Stefano Zacchiroli ha scritto: > In an attempt to prevent drift to a well-known counter argument: > DEBIAN/md5sums (used by debsums) are *not* intended as a mean to counter > security attacks, since they can be easily altered.
If md5sums become part of the policy, then this brings me to an old idea of mine. Idea: we set up a database containing those md5sums , for all packages/versions that pass thru the archive, and add a web interface to that. This database then may be really used in forensic. Example usage. Suppose that I find out that my PC has been hacked. I then shut it down immediatly, and grab a live CD. I boot my PC using the live CD, and have it connect to Internet. I then start a simple utility (think of 'debsums --web --root'), that, for any package that is installed in the OS in the PC, downloads the md5sum for that version from the web interface, and goes checking; eventually leaving a list of all files that did not check OK or that were found in /etc /usr /bin ... and have no md5sum. Of course this would give many false positives, (such as the aspell hashes, as is discussed in a subthread ; and a lot of stuff in /etc); but it would be useful to prune the majority of OK files out, and leave a small subset for human forensic analysis. a. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFG0qHD9B/tjjP8QKQRAmJnAJ9oUWwME6Q8g6JrRt6bF4nk6HYIawCdG1hP GRyBERL04/5Nz2/YmM16uts= =M3m4 -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
