Albretch Mueller wrote: > On 10/8/19, Reco <recovery...@enotuniq.net> wrote: > > On Tue, Oct 08, 2019 at 04:34:17PM +0200, Albretch Mueller wrote: > >> >> this is a hash algorithm that is implemented of the chips anyway, it > >> >> is the fastest of them all, used by synch (is it?) and it is crucially > >> >> helpful when data integrity is very important. > >> > >> >And it's also one of those broken checksum algorithms which makes it > >> >easy to replace a part of file while keeping a checksum intact. > >> > >> Well, I wasn't claiming CRC32 was fail-safe, what I actually meant is > >> that data integrity would be based on: > >> > >> a) two -fast- and "reasonably" safe signature utilities which are > >> based on -different algorithms- > > > > CRC32 fails here. Key is "reasonably" safe. > > If you'd propose MD5 and SHA256 (Debian does it for the every package in > > repostory) - that would be considered OK. > > OK, great! MD5 and SHA256 would it then be. They don't even need to > be computed, so, right after installation Debian should: > > 1) give users the option to keep a first baseline, including the > hardware on which the installation was made, saved into files which > would be tar'ed and compressed in a well-defined, standard way;
Install AIDE. It's packaged. https://aide.github.io/ About AIDE AIDE (Advanced Intrusion Detection Environment, [eyd]) is a file and directory integrity checker. What does it do? It creates a database from the regular expression rules that it finds from the config file(s). Once this database is initialized it can be used to verify the integrity of the files. It has several message digest algorithms (see below) that are used to check the integrity of the file. All of the usual file attributes can also be checked for inconsistencies. It can read databases from older or newer versions. See the manual pages within the distribution for further info. Features supported message digest algorithms: md5, sha1, rmd160, tiger, crc32, sha256, sha512, whirlpool (additionally with libmhash: gost, haval, crc32b) supported file attributes: File type, Permissions, Inode, Uid, Gid, Link name, Size, Block count, Number of links, Mtime, Ctime and Atime support for Posix ACL, SELinux, XAttrs and Extended file system attributes if support is compiled in plain text configuration files and database for simplicity powerful regular expression support to selectively include or exclude files and directories to be monitored gzip database compression if zlib support is compiled in stand alone static binary for easy client/server monitoring configurations and many more > I meant you would keep that file in a pen drive you never connect to > the Internet adn that baselining utility should be part of the Debian > installation DVDs. AIDE does this. > >> Yes, but where is the GUI based data integrity check? Write one. > By the way, if you were to recommend the best/most exhaustive and > reproducible documentation about how Debian's packaging system works, > that would be? Also, the mindset/"philosophy" behind it. Maybe I could > find the time to do a more elaborate "proof of concept" and submit it > for your consideration or heck even start yet another Debian knock > off. https://www.debian.org/doc/debian-policy/ -dsr-
