On 19 Dec 1997, Milan Zamazal wrote: > >>>>> "MS" == Manoj Srivastava <[EMAIL PROTECTED]> writes: > > MS: I still fail to see any advantages in what even you > MS: admit is a half baked security solution. There is a better, more > MS: secure, real solution in terms of tripwire. > > But we have none -- tripwire is non-free software. > > Dpkg md5sums could be more simple for a user (just typing > `dpkg --check-md5sums'). On my home system I'm not interested in > security, I may only want to check the system e.g. after some HW > accident. I don't know whether such a thing is much useful (I didn't > need it yet), but if it is easy to implement, why not to add this > facility?
I agree with these points. It would IMHO be a good thing to be able to let dpkg perform some kind of integrity scan on installed packages. Of course, it can't match with tools like tripwire, if Real Security is a concern. But what about the clueless beginner, who has to learn everything and might occasionally break parts of his system, the unfortunate owner of a piece of hardware that turns out to be unreliable or the sysadmin who wants a quick overview of changes she has made to the default installation? They would be helped a lot if dpkg had the features to do a scan on presence, permissions, ownership and md5sums. IMO the md5sums wouldn't even be as useful as the other checks. The advantages of an integrity-checking extension to dpkg as I see are: - is quite a basic function for a packaging system anyway; - would be of practical value to all kinds of users; - no need to install and configure tripwire if you only want simple configuration integrity tracking. If people fid that all this information would require too much storage space, then settings in /etc/dpkg/dpkg.conf could keep dpkg from storing the data. BTW, if space is so much a concern, then a similar switch ala "write-in-/usr/doc" would do nicely in /etc/dpkg/dpkg.conf. Cheers, Joost
