Bug#223772: Antwort: Re: Bug#223772: general: no md5sums for many packages (e.g. bc)

Wed, 17 Dec 2003 13:57:39 -0600 

[EMAIL PROTECTED] writes:

> Goswin von Brederlow <[EMAIL PROTECTED]> schrieb am
> 16.12.2003 19:15:43:
> now it is getting clearer. we are talking about different things.
> I'm talking about the md5sums files in the directory
> /var/lib/dpkg/info. You talk about the md5 sum of the whole package
> (MD5sum).  so what I like to say is, that for the debian package bc
> (and many others) there is no file /var/lib/dpkg/info/bc.md5sums in
> place. this file is checked and used by the tool debsums. that is
> the thing I'm claiming about.

I know. I'm talking about both.

> regards Werner
> > [EMAIL PROTECTED] writes:
> >
> > > goswin,
> > > > [EMAIL PROTECTED] writes:
> > > >
> > > > > Subject: general: no md5sums for many packages (e.g. bc)
> > > > > Package: general
> > > > > Version: N/A; reported 2003-12-12
> > > > > Severity: normal
> > > > > Tags: security
> > > >
> > > > Every package has a md5sum in the Package file.
> > > the answer is not correct. pls see as an example the package bc with
> version
> > > 1.06-8 or bzip2 version 1.0.2-1, ....
> >
> > Package: bc
> > Version: 1.06-12
> > MD5sum: 9e9945dd5b84b14658c179c2b04c7b89
> >
> > _EVERY_ deb has a md5sum in the Packages file.
> >
> > > > Some packages have a useless and space wasting md5sums file inside the
> > > > package. Due to its uselessness the existance is rather a bug than its
> > > > omission.
> > > i don't understand your comment above. why is the md5sums file useless and
> > > space wasting especially in terms of security? until now, I was of the
> > > opinion, that the md5sum gives me the guarantee that a debian package is
> not
> > > penetrated before installation and further - after having the packages
> > > installed on a machine - the md5sum files give me the confidence that the
> > > debian binaries are correct and consistent.
> >
> > Any attacker would surely change the md5sums file along with changing
> > the actual files. Nothing guards againt the md5sums file getting
> > changed intentionally or accidentally.
> >
> > Only the global md5sum in the Packages file says the file got not
> > changed since, well, since the Packages file was generated. Since
> > nothing checks the Release.gpg signature (wihtout apt-secure
> > installed) thats not much more secure either. But you can make sure
> > its not changed since ftp-master.debian.org generated the file.
> >
> > MfG
> >         Goswin

MfG
        Goswin

Reply via email to