Re: are md5sums mandatory for all packages?

18 Dec 1997 08:10:46 -0000 

Hi,
>>"Radu" == Radu Duta <[EMAIL PROTECTED]> writes:

Radu> On Tue, Dec 16, 1997 at 11:46:29PM -0600, Manoj Srivastava
Radu> wrote:
>>  The adddition of the md5sums has come up before. Personally, I
>> think the utility is limited, given the presence of tripwire, which
>> goes much further to ensure the integrity of the system (For
>> example: a bad guy changes /usr/sbin/foo *and*
>> /var/lib/dpkg/info/foo.md5sum, you shall not be any wiser; and you
>> can't put /var/lib/dpkg/info on a read only media).

Radu> Hmm, well my intention for the md5sums is a bit different.  I'd
Radu> like to use them to 1)check package integrity, and 2)check for
Radu> modified configuration files.  Tripwire is fine, and you'd still
Radu> have to run tripwire.

        Package integrity checking: the whole package has a md5sum,
 and quite widely published at that. If the md5sum does not match, I
 do not install it (actually, I have a script that runs over my local
 mirror ...). This is easy. It exists.

        Secondly, if I am concerned about security and file integrity,
 I use tripwire, and write protect the media the database is on. The
 bad person modifying /usr/bin/make can very well alter
 /var/lib/dpkg/info/make.md5sum as well. 

        Thridly, the conf file md5sums are already stored by dpkg,
 without all the duplication you are advocating. (have you really
 looked at the contents of /var/lib/dpkg/info/?).

Radu> For example.  I install the base system, and it has /etc/fstab
Radu> as one of the files.  That file gets installed and modified
Radu> before tripwire gets installed, so tripwire couldn't manage it.
Radu> This also applies to installed packages where configuration
Radu> files where modified before tripwire got a chance to manage
Radu> them.

        Umm, and you did not check the md5sum of the package before
 (or at least, after, at your leisure) you installed it? Why not? You
 realize that any amount of after the fact per file checking could be
 too late? 

        Are you really getting any security from this, or are we just
 trying for for warm fuzzy feelings?

 manoj
 who believes people should really leave security to the security experts
-- 
 "William Safire would have a cow, but somehow that doesn't disturb
 me." Evan Hunt ([EMAIL PROTECTED])
Manoj Srivastava  <[EMAIL PROTECTED]> <http://www.datasync.com/%7Esrivasta/>
Key C7261095 fingerprint = CB D9 F4 12 68 07 E4 05  CC 2D 27 12 1D F5 E8 6E

Reply via email to