FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian Development

 
 
LinkBack Thread Tools
 
Old 03-30-2010, 08:57 PM
Frank Lin PIAT
 
Default md5sums files... and beyond

Hi,

In case anyone wonders about the status of replacing md5sums with
something stronger _in_ the binary packages, this should be considered
to be suspended until the next development cycle. (at least, from my
PoV).

It have been pointed out that those current checksum aren't sufficient
to validate that an installed package is secure (quoting Joey Hess:
"there are innumerable ways for an attacker to inject bad
behavior/backdoors onto a system without touching binaries originating
from dpkg."[1] and "it's also fairly easy to modify a file in /etc to
provide a backdoor" ...)

Therefore, it should be clear that there is no urgency in replacing
DEBIAN/md5sums as they are "useful for corruption and local (benign)
modification checksumming." (quoting Russ Allbery[2]).


The initial proposal to replace md5sum with ${better}sum:
http://wiki.debian.org/Sha256sumsInPackages
should be enhanced with further meta-data. A very early draft is:
http://wiki.debian.org/Proposals/BinaryPackageDescriptor


Regards,

Franklin

On Thu, 2010-03-11 at 00:44 +0100, Frank Lin PIAT wrote:
> On Wed, 2010-03-03 at 03:06 +0100, Wouter Verhelst wrote:
> >
> > I must say I was somewhat surprised by these numbers. Out of 2483
> > packages installed on my laptop, 2340 install md5sums. While that
> > might've been useful at some point, I don't think it still is.
>
> Hi all,
>
> Can you think of any sensible reason for not including md5sums of
> control files, especially the {pre,post}{inst,rm} scripts ?
>
> In the shasum file, those files could be either:
> 1. inserted, with the patch rewritten to match their expected
> location on the target system.
> or
> 2. inserted as a *comment* in the shasum file, like:
> #68b329da9893e34099c7d8ad5cb9c940 CONTROL.TARostinst

[1] http://lists.debian.org/msgid-search/20100308225913.GA25043@gnu.kitenet.net
[2] http://lists.debian.org/msgid-search/87wrxmbkdn.fsf@windlord.stanford.edu


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 1269982677.3574.252.camel@solid.paris.klabs.be">ht tp://lists.debian.org/1269982677.3574.252.camel@solid.paris.klabs.be
 

Thread Tools




All times are GMT. The time now is 10:06 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org