On Thu, Dec 18, 1997 at 02:19:07AM -0600, Manoj Srivastava wrote: >Radu> Hmm, well my intention for the md5sums is a bit different. I'd >Radu> like to use them to 1)check package integrity, and 2)check for >Radu> modified configuration files. Tripwire is fine, and you'd still >Radu> have to run tripwire. > > Package integrity checking: the whole package has a md5sum,
After the package has been installed, not the *.deb file. I'd prefer not to have to keep all the *.deb files around and then do diffs. > and quite widely published at that. If the md5sum does not match, I > do not install it (actually, I have a script that runs over my local > mirror ...). This is easy. It exists. sure fine, that's what the md5sum on the *.deb is useful for. > Secondly, if I am concerned about security and file integrity, > I use tripwire, and write protect the media the database is on. The > bad person modifying /usr/bin/make can very well alter > /var/lib/dpkg/info/make.md5sum as well. Fine, totaly different issues. The /var/lib/dpkg/info/make.md5sum is not used for security purposes, but post instalation integrity checking and modification checking (excluding malicious mods). > Thridly, the conf file md5sums are already stored by dpkg, > without all the duplication you are advocating. (have you really > looked at the contents of /var/lib/dpkg/info/?). I have, have you? Show me what you are talking about for the following packages. I took the time to find 4 nice examples, so please take the time to show me what you are talking about. Maybe I missed the obvious. in 131 for 1)ldso 1.8.12-1 2)lpr 5.9-13.1 or in hamm for 1)ldso 1.9.6-2 2)lpr 5.9-20.2 > Are you really getting any security from this, or are we just > trying for for warm fuzzy feelings? No added security, nor am I trying to claim that you get any, mind you. Radu
