Goswin Brederlow wrote:
> It could set up hooks, as defined in my proposal on
>
> ftp://mirjam.informatik.uni-tuebingen.de/pub/debian/proposal.txt
>
> A Package can say that it will need reconfiguration every time package
> foo changes. Adding wildchar support to that and you got what you
> want
Michael Stone <[EMAIL PROTECTED]> writes:
> On Tue, May 25, 1999 at 04:42:13PM -0500, Manoj Srivastava wrote:
> > Putting things in the packaging system so that we can be sure
> > they have it in the system is really silly, seeing that we have this
> > marvelous dependency mechanism.
>
On 25 May 1999, Manoj Srivastava wrote:
> I still do not see why this has anything to do with the
> packaging system. If all you want is to ensure that the files on your
> system have not been modified since the time you installed them (and,
> frankly, I think you really really should a
Manoj Srivastava <[EMAIL PROTECTED]> writes:
> Hi,
> >>"Goswin" == Goswin Brederlow <[EMAIL PROTECTED]> writes:
> >> This also has more complicated issues than just generating md5sums (find
> >> | xargs will do that for you). In particular making sure your list of
> >> md5sums isn't equally vu
On Tue, May 25, 1999 at 04:42:13PM -0500, Manoj Srivastava wrote:
> Putting things in the packaging system so that we can be sure
> they have it in the system is really silly, seeing that we have this
> marvelous dependency mechanism.
Maybe, maybe not. How would it work as a dependency?
Hi,
>>"Michael" == Michael Stone <[EMAIL PROTECTED]> writes:
Michael> Because that doesn't do anything for the new user who
Michael> doesn't discover that he wants to do this until _after_ he
Michael> thinks something is wrong. A redhat support list can say "do
Michael> x to verify your system
On Tue, May 25, 1999 at 01:39:14PM -0500, Manoj Srivastava wrote:
> I still do not see why this has anything to do with the
> packaging system. If all you want is to ensure that the files on your
> system have not been modified since the time you installed them (and,
> frankly, I think y
Hi,
I still do not see why this has anything to do with the
packaging system. If all you want is to ensure that the files on your
system have not been modified since the time you installed them (and,
frankly, I think you really really should also look at things like
/etc/hosts.allow e
On Mon, 24 May 1999, Branden Robinson wrote:
> I will formally oppose any proposal to require md5sums files within Debian
> packages unless it makes absolutely clear that they are not a defense
> against intrusion, but only against "mindless" data corruption like a
> failing hard disk.
Or a virus
On Mon, May 24, 1999 at 08:47:00AM -0700, Christoph Lameter wrote:
> The md5sums of individual files are not only helpful for security but
> for the verification of the integrity of installed files in general. RPM
> includes perms etc in their database as well as noted by others before and
> I wish
The md5sums of individual files are not only helpful for security but
for the verification of the integrity of installed files in general. RPM
includes perms etc in their database as well as noted by others before and
I wish we would do that as well.
On Mon, 24 May 1999, Anthony Towns wrote:
> On
On Sun, May 23, 1999 at 02:55:58PM -0700, Christoph Lameter wrote:
> Seconded
> On Mon, 17 May 1999, Piotr Roszatycki wrote:
> > I think DEBIAN/md5sums file should be required for all packages.
Just as a note: I don't object to this; I simply don't think it'll
improve security in any conceiva
Hi,
>>"Christoph" == Christoph Lameter <[EMAIL PROTECTED]> writes:
Christoph> md5sums are a verficiation of permanently installed files
Christoph> guaranteering their integrity and not of user
Christoph> customizations. I think those issues need to be separate.
I really think you are n
Seconded
On Mon, 17 May 1999, Piotr Roszatycki wrote:
> I think DEBIAN/md5sums file should be required for all packages.
-
Christoph Lameter (MS CS, M.Div.) http://lameter.com
Adjunc
On 19 May 1999, Manoj Srivastava wrote:
> Christoph> plus you only have the checksums of the files *after* they
> Christoph> were unpacked.
>
> This is an advantage. This allows me to have the md5sums of
> the config files after I modified them. This also allows one to add
> other dir
Ok,
I checked current situation and looked in to rpm.
[EMAIL PROTECTED] pwd
/pub/debian/dists/potato
[EMAIL PROTECTED] for i in */binary-i386/*/*.deb; do echo $i; done | wc -l \
> 2>/dev/null
3282
[EMAIL PROTECTED] for i in */binary-i386/*/*.deb; do dpkg-deb -I $i|grep
md5sums \
> 2>/dev/null;
Karl M. Hegbloom wrote:
> > "Piotr" == Piotr Roszatycki <[EMAIL PROTECTED]> writes:
>
> Piotr> Maybe dpkg should have own verification system? As I known
> Piotr> RPM can verify its package database.
>
> Does anyone know offhand how `rpm' performs that operation? We ought
> to inv
> "Piotr" == Piotr Roszatycki <[EMAIL PROTECTED]> writes:
Piotr> Maybe dpkg should have own verification system? As I known
Piotr> RPM can verify its package database.
Does anyone know offhand how `rpm' performs that operation? We ought
to investigate.
--
mailto:[EMAIL PROTECTED
Hi,
>>"Goswin" == Goswin Brederlow <[EMAIL PROTECTED]> writes:
Goswin> Anthony Towns writes:
>> Taking an md5sum of the control.tgz and data.tgz components as a whole
>> and signing these would be somewhat more `secure' and certainly no
>> more difficult.
Goswin> Yep. Saying that xxx has n
On Wed, May 19, 1999 at 01:23:48PM +0200, Goswin Brederlow wrote:
> > [1 ]
> > On Wed, May 19, 1999 at 11:57:54AM +0200, Goswin Brederlow wrote:
> > > 1. If each package had a md5sum file, one could verify the space
> > >requirements before installing a package.
> > Huh? .md5sums don't have an
Anthony Towns writes:
> [1 ]
> On Wed, May 19, 1999 at 11:57:54AM +0200, Goswin Brederlow wrote:
> > 1. If each package had a md5sum file, one could verify the space
> >requirements before installing a package.
>
> Huh? .md5sums don't have any size information. How would this help?
Ups, yo
On Wed, May 19, 1999 at 11:57:54AM +0200, Goswin Brederlow wrote:
> 1. If each package had a md5sum file, one could verify the space
>requirements before installing a package.
Huh? .md5sums don't have any size information. How would this help?
> 2. md5sum files in the package could be signed.
Heres my two pence worth of garbage:
1. If each package had a md5sum file, one could verify the space
requirements before installing a package.
2. md5sum files in the package could be signed. (secure)
3. After configuration new md5sums can be generated and signed (for
security)
With signe
Hi,
>>"Christoph" == Christoph Lameter <[EMAIL PROTECTED]> writes:
Christoph> On 18 May 1999, Manoj Srivastava wrote:
>> Precisely. You have yet to come up with anything that adresses
>> the technical shortcomings of the md5sum proposal. I, for one, use
On 18 May 1999, Manoj Srivastava wrote:
> Precisely. You have yet to come up with anything that adresses
> the technical shortcomings of the md5sum proposal. I, for one, use
> tripwire. I would much prefer to use a free solution, but I do not
> have time to write a secure
Brian Almeida wrote:
> On Tue, May 18, 1999 at 02:17:04PM -0700, Joey Hess wrote:
> > it's worth noting that Jim Dennis <[EMAIL PROTECTED]> is working on a
> > standalone auditing tool for debian. The basic idea is that it compares an
> > actual .deb file with what's installed on the system and fla
On Tue, May 18, 1999 at 02:17:04PM -0700, Joey Hess wrote:
> it's worth noting that Jim Dennis <[EMAIL PROTECTED]> is working on a
> standalone auditing tool for debian. The basic idea is that it compares an
> actual .deb file with what's installed on the system and flags differences.
> It'll requi
it's worth noting that Jim Dennis <[EMAIL PROTECTED]> is working on a
standalone auditing tool for debian. The basic idea is that it compares an
actual .deb file with what's installed on the system and flags differences.
It'll require that copies be kept of all installed deb's though, so it may
onl
Hi,
>>"Peter" == Peter S Galbraith <[EMAIL PROTECTED]> writes:
Peter> Then why do we half do it already?
I don't. I do not think anyone should. However, I am williong
not to micromanage other developers.
Peter> Is there another reason? (I'm not talking `secure', I'm talking
Peter>
Hi,
>>"Piotr" == Piotr Roszatycki <[EMAIL PROTECTED]> writes:
>> a) It really provides no security.
Piotr> It is not for *this* security reason (crackers, hackers and
Piotr> others)
Good. So on this we agree.
>> b) It would bloat the packaging system, when it does not really solve
Hi,
>>"Peter" == Peter S Galbraith <[EMAIL PROTECTED]> writes:
Peter> I agree. I didn't second the proposal because I thought it helped
Peter> security, I seconded the proposal because it helps to find
Peter> corrupted file after a system crash.
A simple script with find and md5sum an
Marcus Brinkmann wrote:
> See, Piotr. We all agree with you that it would be great if we had a
> reliable and secure tool to verify the system integrity.
>
> The real problem is that your proposal did nothing to get us closer to this
> goal. Putting md5sums in the package file is probably not th
Hi,
On Tue, May 18, 1999 at 05:23:20PM +0200, Piotr Roszatycki wrote:
>
> A few weeks ago I had a system crash. I had to check which packages was
> broken. I had to do this _quickly_ and _easly_.
> I lost a lot of time because I had to do it manually - a lot of packages
> didn't have md5sums che
Piotr Roszatycki wrote:
> > a) It really provides no security.
> It is not for *this* security reason (crackers, hackers and others)
>
[...]
>
> A few weeks ago I had a system crash. I had to check which packages was
> broken. I had to do this _quickly_ and _easly_.
> I lost a lot of time bec
> I have a different memory of events. This proposal was brought
> up on this list, and was shot down because
> a) It really provides no security.
It is not for *this* security reason (crackers, hackers and others)
> b) It would bloat the packaging system, when it does not really
has not changed so why bother
Christoph> repeating ourselves?
Precisely. You have yet to come up with anything that adresses
the technical shortcomings of the md5sum proposal. I, for one, use
tripwire. I would much prefer to use a free solution, but I do not
have time to write a secu
We have tried to get dpkg to do md5sums since over 3 years now. Given the
inertia of the product we have no choice but to continue using what we
have. I introduced md5sums only after it became clear that dpkg was an
essentially deadbeat package and there was persistent demand for such a
feature. Pl
Hi,
Oh, I agree. I woul;d welcome any project to provide a free
replacement for tripwire. Perhaps I shaould have said a tripwire
_like_ package should be the way to go.
manoj
>>"Marcus" == Marcus Brinkmann <[EMAIL PROTECTED]> writes:
Marcus> I second your motion in general (t
On Mon, May 17, 1999 at 03:27:15PM -0500, Manoj Srivastava wrote:
> Peter> This reason alone is enough. I second the motion.
>
> Why reinvent the wheel and further bloat the packjaging
> system? Tripwire does this just fine.
I second your motion in general (this does not belong into dp
for
many other reasons.
BR
On 17 May 1999 at 15:27, Manoj Srivastava wrote about "Re: md5sum proposal":
> Hi,
> >>"Peter" == Peter S Galbraith <[EMAIL PROTECTED]> writes:
>
> >> After some file system crash or any other seasons I'd like to chec
Hi,
>>"Peter" == Peter S Galbraith <[EMAIL PROTECTED]> writes:
>> After some file system crash or any other seasons I'd like to check
>> which files are corrupted, i.e. by 'debsums' tool.
Peter> This reason alone is enough. I second the motion.
Why reinvent the wheel and further bloa
Hi,
Oh no, not again.
>>"Piotr" == Piotr Roszatycki <[EMAIL PROTECTED]> writes:
Piotr> I think DEBIAN/md5sums file should be required for all packages.
Piotr> md5sums is very useful for security reasons
Not really. Any security threat can modify your md5sum file,
which defeat
Marcus Brinkmann wrote:
> > I doubt the usefullness (dpkg is no backup system). But I
> > will not object. Indeed, I see some usefulness, but I want
> > to know more about the drawbacks: How do you want to verify
> > the sums (using cruft, maybe?). How long will it need to
> > check the whole fs
On Mon, 17 May 1999, Piotr Roszatycki wrote:
> For now this system seems to be useless because some Debian packages have
> md5sums file, some others doesn't.
>
> IMHO we should use this system for all packager or completly forget about it.
I agree entirely with this. Personally I think our tim
> I doubt the usefullness (dpkg is no backup system). But I will not object.
> Indeed, I see some usefulness, but I want to know more about the drawbacks:
> How do you want to verify the sums (using cruft, maybe?). How long will it
> need to check the whole fs, how much disk space will the md5sums
On Mon, May 17, 1999 at 04:42:42PM +0200, Piotr Roszatycki wrote:
> I think DEBIAN/md5sums file should be required for all packages.
I think you mean for all packages and all files which they cnotain? Or only
the binaries and libraries?
> md5sums is very useful for security reasons (trojans, fs
I think DEBIAN/md5sums file should be required for all packages.
md5sums is very useful for security reasons (trojans, fs crash,
unexpected file modification) but a lot of important packages
(sysvinit, dpkg, debianutils, bash, adduser, etc.) don't have
this integrity verification.
I propose any D
47 matches
Mail list logo
