FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.

» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian Development

LinkBack Thread Tools
Old 03-30-2010, 08:57 PM
Frank Lin PIAT
Default md5sums files... and beyond


In case anyone wonders about the status of replacing md5sums with
something stronger _in_ the binary packages, this should be considered
to be suspended until the next development cycle. (at least, from my

It have been pointed out that those current checksum aren't sufficient
to validate that an installed package is secure (quoting Joey Hess:
"there are innumerable ways for an attacker to inject bad
behavior/backdoors onto a system without touching binaries originating
from dpkg."[1] and "it's also fairly easy to modify a file in /etc to
provide a backdoor" ...)

Therefore, it should be clear that there is no urgency in replacing
DEBIAN/md5sums as they are "useful for corruption and local (benign)
modification checksumming." (quoting Russ Allbery[2]).

The initial proposal to replace md5sum with ${better}sum:
should be enhanced with further meta-data. A very early draft is:



On Thu, 2010-03-11 at 00:44 +0100, Frank Lin PIAT wrote:
> On Wed, 2010-03-03 at 03:06 +0100, Wouter Verhelst wrote:
> >
> > I must say I was somewhat surprised by these numbers. Out of 2483
> > packages installed on my laptop, 2340 install md5sums. While that
> > might've been useful at some point, I don't think it still is.
> Hi all,
> Can you think of any sensible reason for not including md5sums of
> control files, especially the {pre,post}{inst,rm} scripts ?
> In the shasum file, those files could be either:
> 1. inserted, with the patch rewritten to match their expected
> location on the target system.
> or
> 2. inserted as a *comment* in the shasum file, like:
> #68b329da9893e34099c7d8ad5cb9c940 CONTROL.TARostinst

[1] http://lists.debian.org/msgid-search/20100308225913.GA25043@gnu.kitenet.net
[2] http://lists.debian.org/msgid-search/87wrxmbkdn.fsf@windlord.stanford.edu

To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 1269982677.3574.252.camel@solid.paris.klabs.be">ht tp://lists.debian.org/1269982677.3574.252.camel@solid.paris.klabs.be

Thread Tools

All times are GMT. The time now is 10:06 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org