Hi,
>>"Radu" == Radu Duta <[EMAIL PROTECTED]> writes:
>> Secondly, if I am concerned about security and file integrity, I
>> use tripwire, and write protect the media the database is on. The
>> bad person modifying /usr/bin/make can very well alter
>> /var/lib/dpkg/info/make.md5sum as well.
Radu> Fine, totaly different issues. The
Radu> /var/lib/dpkg/info/make.md5sum is not used for security
Radu> purposes, but post instalation integrity checking and
Radu> modification checking (excluding malicious mods).
I still fail to see why tripwire can't do that. Also, in my
experience, there is a high corelation between conf files I really
care about and conf files I tend to modify. Once I modify a conf
file, the per package md5sum is useless (tripwire would still detect
subsequent modifications).
Anyway, conffiles md5sums are already available.
>> Thridly, the conf file md5sums are already stored by dpkg, without
>> all the duplication you are advocating. (have you really looked at
>> the contents of /var/lib/dpkg/info/?).
Radu> I have, have you? Show me what you are talking about for the
Radu> following packages. I took the time to find 4 nice examples, so
Radu> please take the time to show me what you are talking about.
Radu> Maybe I missed the obvious.
You have missed the obvious.
Look, dpkg is not magical (despite what Ian may
say). Really. And dpkg knows when conf files are modified. How do you
think it knows that? The md5sum of all conffiles is stored in
/var/lib/dpkg/ (where is left as an exercise for the reader).
Radu> in 131 for 1)ldso 1.8.12-1 2)lpr 5.9-13.1
Radu> or in hamm for 1)ldso 1.9.6-2 2)lpr 5.9-20.2
ldso does not have any conffiles. (I do not have lpr installed,
so I can't say.) If you are concerned about modification of
non-conffiles, then use tripwire.
I still fail to see any advantages in what even you admit is a
half baked security solution. There is a better, more secure, real
solution in terms of tripwire.
Personally, if bugs were to be assigned, I'd be more inclined
to assign bugs to packages that use this mechanism for wasting space
and giving novices a false sence of security.
This is getting nowhere. Unless you have new arguments for
your position, I am done with this discussion.
manoj
--
"Let us condemn to hellfire all those who disagree with us." militant
religionists everywhere
Manoj Srivastava <[EMAIL PROTECTED]> <http://www.datasync.com/%7Esrivasta/>
Key C7261095 fingerprint = CB D9 F4 12 68 07 E4 05 CC 2D 27 12 1D F5 E8 6E
