Matt Zimmerman <[EMAIL PROTECTED]> writes:
> On Sun, Dec 07, 2003 at 10:42:10PM +0100, Goswin von Brederlow wrote:
>
> > Having or not having is of the order of several 100MB. The shear
> > number of debs makes the impact.
>
> Fortunately, the actual effect is much smaller since nearly all packa
On Sun, Dec 07, 2003 at 10:42:10PM +0100, Goswin von Brederlow wrote:
> Having or not having is of the order of several 100MB. The shear
> number of debs makes the impact.
Fortunately, the actual effect is much smaller since nearly all packages
have md5sums already.
--
- mdz
Anthony DeRobertis <[EMAIL PROTECTED]> writes:
> On Sun, 2003-12-07 at 06:45, Goswin von Brederlow wrote:
> > Anthony DeRobertis <[EMAIL PROTECTED]> writes:
> >
> > > On Fri, 2003-12-05 at 22:42, Goswin von Brederlow wrote:
> > >
> > > >
> > > > The only reason attackers don't do it is because
On Sun, 2003-12-07 at 06:45, Goswin von Brederlow wrote:
> Anthony DeRobertis <[EMAIL PROTECTED]> writes:
>
> > On Fri, 2003-12-05 at 22:42, Goswin von Brederlow wrote:
> >
> > >
> > > The only reason attackers don't do it is because with rpm noone cares
> > > about the md5sums.
> >
> > Would y
On Sat, 2003-12-06 at 02:24, Manoj Srivastava wrote:
> I am (probably) getting a Zaurus for christmas this year. I
> would like to run Debian on it. You think that the PDA has gobs of
> disk space to throw around?
I think if you're worried about an extra few bytes per file from
md5sums,
Anthony DeRobertis <[EMAIL PROTECTED]> writes:
> On Fri, 2003-12-05 at 22:42, Goswin von Brederlow wrote:
>
> >
> > The only reason attackers don't do it is because with rpm noone cares
> > about the md5sums.
>
> Would you care to provide some evidence as to why Debian having md5sums
> on all p
On Fri, 2003-12-05 at 22:42, Goswin von Brederlow wrote:
>
> The only reason attackers don't do it is because with rpm noone cares
> about the md5sums.
Would you care to provide some evidence as to why Debian having md5sums
on all pacakges would be any different for attackers than RedHat having
Hi,
how about the following compromise:
Instead of having a md5sums file inside the control.tar.gz the md5sums
file is added to the end deb archive as "md5sums". The file would
contain a sorted list of all files in data.tar.gz _and_ control.tar.gz
(moved into /var/lib/dpkg/info where they end up)
David Weinehall <[EMAIL PROTECTED]> writes:
> On Sat, Dec 06, 2003 at 01:24:58AM -0600, Manoj Srivastava wrote:
> > On Fri, 05 Dec 2003 13:34:10 -0500, Anthony DeRobertis <[EMAIL PROTECTED]>
> > said:
> >
> > > On Thu, 2003-12-04 at 11:11, Manoj Srivastava wrote:
> > >> That is but one optimiza
On Sat, Dec 06, 2003 at 01:24:58AM -0600, Manoj Srivastava wrote:
> On Fri, 05 Dec 2003 13:34:10 -0500, Anthony DeRobertis <[EMAIL PROTECTED]>
> said:
>
> > On Thu, 2003-12-04 at 11:11, Manoj Srivastava wrote:
> >> That is but one optimization: we already are suffering from archive
> >> bloat, w
"Bernhard R. Link" <[EMAIL PROTECTED]> writes:
> * Goswin von Brederlow <[EMAIL PROTECTED]> [031206 05:12]:
> > > But false negatives cause work. Why do you want to cause false
> > > negatives?
> >
> > Its not causing it. Its not preventing them anymore than the current
> > list.
>
> Huh? I gave
* Goswin von Brederlow <[EMAIL PROTECTED]> [031206 05:12]:
> > But false negatives cause work. Why do you want to cause false
> > negatives?
>
> Its not causing it. Its not preventing them anymore than the current
> list.
Huh? I gave multiple examples where the current solution works
correctly, b
On Fri, 5 Dec 2003 16:50:19 +0100, Javier Fernández-Sanguino Peña <[EMAIL
PROTECTED]> said:
> Well, there are not really sides here. But again:
> - I want md5sums to be stored in the local filesystem, I don't
> really care
> if they are inside the debs or not, as long as it's standard
> proce
On Thu, 4 Dec 2003 19:30:12 +0100, Javier Fernández-Sanguino Peña <[EMAIL
PROTECTED]> said:
> Why do we have to make each of our users find a solution to generate
> this from a _local_ mirror (or the system's .deb archive which
> shoulnd't be trusted in the event of an intrusion) when we could d
On Fri, 05 Dec 2003 13:34:10 -0500, Anthony DeRobertis <[EMAIL PROTECTED]>
said:
> On Thu, 2003-12-04 at 11:11, Manoj Srivastava wrote:
>> That is but one optimization: we already are suffering from archive
>> bloat, what about the disk and bandwidth cost of carrying around
>> the sigs? And sin
On Thu, 04 Dec 2003 17:36:16 +0100, Thomas Viehmann <[EMAIL PROTECTED]> said:
> Manoj Srivastava wrote:
>> Before we make such a push, we should at least ensure that it is
>> something we really want to do. I think locally generated checksums
>> are a better solution.
> To me, the main use of md5
Anthony DeRobertis <[EMAIL PROTECTED]> writes:
> On Thu, 2003-12-04 at 19:06, Goswin von Brederlow wrote:
>
> > > Actually, I think the biggest benefit of md5sums is that while
> > > attackers certainly could modify them, often they don't. While passing
> > > debsums certainly can't prove the int
"Bernhard R. Link" <[EMAIL PROTECTED]> writes:
> * Goswin von Brederlow <[EMAIL PROTECTED]> [031205 16:11]:
> > With replaced files being kept you can recalculate correct md5sum
> > lists for A and B at any time in any combination of installed
> > packages. But even if it fails due to some bug you
On Thu, 2003-12-04 at 11:11, Manoj Srivastava wrote:
> That is but one optimization: we already are suffering from
> archive bloat, what about the disk and bandwidth cost of carrying
> around the sigs? And since one rarely needs the md5sums anyway, what
> is so wrong with checking agains
On Wed, 2003-12-03 at 20:46, Goswin von Brederlow wrote:
> Because without preventing tampering (even accidental) of the md5sums
> file its quite useless.
I want to check if anything on my system was corrupted after a recent
bout of fun with fsck. The md5sums are quite useful for that.
signatur
On Thu, 2003-12-04 at 19:06, Goswin von Brederlow wrote:
> > Actually, I think the biggest benefit of md5sums is that while
> > attackers certainly could modify them, often they don't. While passing
> > debsums certainly can't prove the integrity of a system, debsums
> > failing can certainly prov
* Goswin von Brederlow <[EMAIL PROTECTED]> [031205 16:11]:
> With replaced files being kept you can recalculate correct md5sum
> lists for A and B at any time in any combination of installed
> packages. But even if it fails due to some bug you will only get a
> false negative. Then you download the
(no need to CC: me as I'm subscribe)
> > Why do we have to make each of our users find a solution to generate this
> > from a _local_ mirror (or the system's .deb archive which shoulnd't be
> > trusted in the event of an intrusion) when we could do this ourselves and
> > provide the results?
>
>
Manoj Srivastava <[EMAIL PROTECTED]> writes:
> On 04 Dec 2003 02:44:31 +0100, Goswin von Brederlow <[EMAIL PROTECTED]> said:
>
> > "Bernhard R. Link" <[EMAIL PROTECTED]> writes:
> >> * Manoj Srivastava <[EMAIL PROTECTED]> [031203 20:12]:
> >> > Before we make such a push, we should at least ens
"Bernhard R. Link" <[EMAIL PROTECTED]> writes:
> * Manoj Srivastava <[EMAIL PROTECTED]> [031204 18:00]:
> > >> The md5sum file should be generated at build time, signed and only
> > >> the signature kept. The signature is small enough not to cause
> > >> bloat, it can be included in the Package fi
"Bernhard R. Link" <[EMAIL PROTECTED]> writes:
> * Goswin von Brederlow <[EMAIL PROTECTED]> [031204 15:05]:
> > > I also think it is hardly possible to regenerate the .md5sums file
> > > in a way the signature will be kept. It would need to never change
> > > which files are included and how they
Javier =?iso-8859-15?Q?Fern=E1ndez-Sanguino_Pe=F1a?= <[EMAIL PROTECTED]> writes:
> [Manoj, I'm going to concentrate on this example, it's probably a corner
> case and I'm probably digressing here ... oh well]
>
> On Thu, Dec 04, 2003 at 11:17:46AM -0600, Manoj Srivastava wrote:
> > > Finally,
Anthony DeRobertis <[EMAIL PROTECTED]> writes:
> On Dec 3, 2003, at 21:07, Goswin von Brederlow wrote:
> >
> > You can just as well just check all the debs. gunzip doesn't take
> > longer, the slowest thing usually is the cdrom.
>
> True, so I should probably just put the md5sums files on my CD,
On Thu, 04 Dec 2003 17:36:16 +0100, Thomas Viehmann <[EMAIL PROTECTED]> said:
> Manoj Srivastava wrote:
>> Before we make such a push, we should at least ensure that it is
>> something we really want to do. I think locally generated checksums
>> are a better solution.
> To me, the main use of md5
[Manoj, I'm going to concentrate on this example, it's probably a corner
case and I'm probably digressing here ... oh well]
On Thu, Dec 04, 2003 at 11:17:46AM -0600, Manoj Srivastava wrote:
> > Finally, there's one thing md5sums in packages can provide that no
> > other solution proposed in th
On Thu, 4 Dec 2003 12:43:18 +0100, Eduard Bloch <[EMAIL PROTECTED]> said:
>> include
> * Manoj Srivastava [Wed, Dec 03 2003, 04:19:59AM]:
>> > - current md5sums file in control.tar.gz should contain checksums
>> > of
>> >really all files
>>
>> Hard to do for conffiles. Now, if the md5sums
On Thu, 4 Dec 2003 02:29:29 +0100, Javier Fernández-Sanguino Peña <[EMAIL
PROTECTED]> said:
> On Wed, Dec 03, 2003 at 04:23:33AM -0600, Manoj Srivastava wrote:
>> On Mon, 1 Dec 2003 17:12:36 -0500, christophe barbe
>> <[EMAIL PROTECTED]> said:
>>
>> > I don't see why adding a md5dsum_are_mandato
On Dec 3, 2003, at 21:07, Goswin von Brederlow wrote:
You can just as well just check all the debs. gunzip doesn't take
longer, the slowest thing usually is the cdrom.
True, so I should probably just put the md5sums files on my CD, and
check those. That'd be far faster.
I could even put the md5su
On Wed, 03 Dec 2003 17:40:51 -0500, Anthony DeRobertis <[EMAIL PROTECTED]>
said:
> On Wed, 2003-12-03 at 05:23, Manoj Srivastava wrote:
>> Because it buys little security wise?
> I can take a rescue disk, a CD with relevant packages on it, boot
> the suspect server from the rescue disk, and qui
* Goswin von Brederlow <[EMAIL PROTECTED]> [031204 15:05]:
> > I also think it is hardly possible to regenerate the .md5sums file
> > in a way the signature will be kept. It would need to never change
> > which files are included and how they are sorted. It could also
> > cause problems with more s
* Manoj Srivastava <[EMAIL PROTECTED]> [031204 18:00]:
> >> The md5sum file should be generated at build time, signed and only
> >> the signature kept. The signature is small enough not to cause
> >> bloat, it can be included in the Package file or a Signatures.gz
> >> file containing all signature
Manoj Srivastava wrote:
> Before we make such a push, we should at least ensure that it
> is something we really want to do. I think locally generated
> checksums are a better solution.
To me, the main use of md5sums seems to be verifying nothing bad (as in
accident, not malicious manipulat
On Thu, 4 Dec 2003 13:02:57 +0100, Bernhard R Link <[EMAIL PROTECTED]> said:
> * Goswin von Brederlow <[EMAIL PROTECTED]>
> [031204 02:46]:
>> "Bernhard R. Link" <[EMAIL PROTECTED]> writes:
>> > I don't think so. md5-calculation it not the fastest thing
>> > (especially on non-i386 it often fee
On 04 Dec 2003 02:44:31 +0100, Goswin von Brederlow <[EMAIL PROTECTED]> said:
> "Bernhard R. Link" <[EMAIL PROTECTED]> writes:
>> * Manoj Srivastava <[EMAIL PROTECTED]> [031203 20:12]:
>> >Before we make such a push, we should at least ensure that it
>> > is something we really want to do. I
On Wed, 3 Dec 2003 23:19:58 +0100, Bernhard R Link <[EMAIL PROTECTED]> said:
> * Manoj Srivastava <[EMAIL PROTECTED]> [031203 20:12]:
>> Before we make such a push, we should at least ensure that it is
>> something we really want to do. I think locally generated checksums
>> are a better solution
"Bernhard R. Link" <[EMAIL PROTECTED]> writes:
> * Goswin von Brederlow <[EMAIL PROTECTED]> [031204 02:46]:
> > "Bernhard R. Link" <[EMAIL PROTECTED]> writes:
> > > I don't think so. md5-calculation it not the fastest thing (especially
> > > on non-i386 it often feels like downloading and installi
* Goswin von Brederlow <[EMAIL PROTECTED]> [031204 02:46]:
> "Bernhard R. Link" <[EMAIL PROTECTED]> writes:
> > I don't think so. md5-calculation it not the fastest thing (especially
> > on non-i386 it often feels like downloading and installing together
> > needs less time than the md5sum-verifica
#include
* Manoj Srivastava [Wed, Dec 03 2003, 04:19:59AM]:
> > - current md5sums file in control.tar.gz should contain checksums of
> >really all files
>
> Hard to do for conffiles. Now, if the md5sums were generated
Then only add the m5sums of the control.tar.gz contents and add it
On Thu, Dec 04, 2003 at 03:07:52AM +0100, Goswin von Brederlow wrote:
> Anthony DeRobertis <[EMAIL PROTECTED]> writes:
>
> > On Wed, 2003-12-03 at 05:23, Manoj Srivastava wrote:
> >
> > > Because it buys little security wise?
> >
> > I can take a rescue disk, a CD with relevant packages on it
Anthony DeRobertis <[EMAIL PROTECTED]> writes:
> On Wed, 2003-12-03 at 05:23, Manoj Srivastava wrote:
>
> > Because it buys little security wise?
>
> I can take a rescue disk, a CD with relevant packages on it, boot the
> suspect server from the rescue disk, and quickly check md5sums. At
>
Manoj Srivastava <[EMAIL PROTECTED]> writes:
> On Mon, 1 Dec 2003 17:12:36 -0500, christophe barbe <[EMAIL PROTECTED]> said:
>
> > I don't see why adding a md5dsum_are_mandatory clause to the debian
> > policy would be difficult (what would be a good reason to not add
> > md5sum to a package?).
"Bernhard R. Link" <[EMAIL PROTECTED]> writes:
> * Manoj Srivastava <[EMAIL PROTECTED]> [031203 20:12]:
> > Before we make such a push, we should at least ensure that it
> > is something we really want to do. I think locally generated
> > checksums are a better solution.
>
> I don't think s
On Wed, Dec 03, 2003 at 04:23:33AM -0600, Manoj Srivastava wrote:
> On Mon, 1 Dec 2003 17:12:36 -0500, christophe barbe <[EMAIL PROTECTED]> said:
>
> > I don't see why adding a md5dsum_are_mandatory clause to the debian
> > policy would be difficult (what would be a good reason to not add
> > md5
On Wed, 2003-12-03 at 05:23, Manoj Srivastava wrote:
> Because it buys little security wise?
I can take a rescue disk, a CD with relevant packages on it, boot the
suspect server from the rescue disk, and quickly check md5sums. At
least, if all packages had md5sums I could.
signature.asc
* Manoj Srivastava <[EMAIL PROTECTED]> [031203 20:12]:
> Before we make such a push, we should at least ensure that it
> is something we really want to do. I think locally generated
> checksums are a better solution.
I don't think so. md5-calculation it not the fastest thing (especially
on
On Mon, 1 Dec 2003 17:12:36 -0500, christophe barbe <[EMAIL PROTECTED]> said:
> I don't see why adding a md5dsum_are_mandatory clause to the debian
> policy would be difficult (what would be a good reason to not add
> md5sum to a package?).
Because it buys little security wise? Because t
On Mon, 1 Dec 2003 19:22:44 -0200, Henrique de Moraes Holschuh <[EMAIL
PROTECTED]> said:
> On Mon, 01 Dec 2003, Thomas Viehmann wrote:
>> Henrique de Moraes Holschuh wrote:
>> > On Mon, 01 Dec 2003, christophe barbe wrote:
>> >
>> >>Before mass bug-filling, it would be necessary to make it
>> >>
On Mon, 1 Dec 2003 18:08:28 +0100, Eduard Bloch <[EMAIL PROTECTED]> said:
> AFAICS the only way to verify the contents of maintainer scripts
> automaticaly is to have the binary package, verify its contents via
> .changes or Release/Packages path, extract it and compare the
> files. Too complicat
* Chad Walstrom <[EMAIL PROTECTED]> [031202 18:14]:
> I'm not following your logic, if that's what you call it. You're saying
> that checking the current filesystem on a daily basis is NOT a good way
> to verify filesystem integrity?
I say it won't give you an real advantage over checking the *.m
Chad Walstrom <[EMAIL PROTECTED]> writes:
> On Tue, Dec 02, 2003 at 02:01:23PM +0100, Bernhard R. Link wrote:
> > > A true IDS is needed, such as aide, tripwire, or cfengine to detect
> > > post-installation intrusion. Tie in aide or tripwire database
> > > checks/updates with the apt.conf "PostI
christophe barbe wrote:
> On Mon, Dec 01, 2003 at 08:24:09PM +0100, Thomas Viehmann wrote:
>
>>Michael Ablassmeier wrote:
>>
>>>IMHO Lintian should also check if "dh_md5sums" is called and
>>>print at least a warning if this is not the case.
>>
>>In principle, I argree, but maybe it's better to ch
Hallo.
Henrique de Moraes Holschuh wrote:
> Otherwise, it simply won't happen, unless about 90% of the packages or so
> aready use md5sums. At that figure, you have some changes of passing a
> policy of 'must', and you are guaranteed to get a 'should' to be approved
> IMHO.
More than 92% of the p
On Tue, Dec 02, 2003 at 02:01:23PM +0100, Bernhard R. Link wrote:
> > A true IDS is needed, such as aide, tripwire, or cfengine to detect
> > post-installation intrusion. Tie in aide or tripwire database
> > checks/updates with the apt.conf "PostInst" option in addition to a
> > daily cronjon to e
* Chad Walstrom <[EMAIL PROTECTED]> [031201 22:28]:
> md5sums and signatures are most useful in the context of installation.
> Post-installation, you cannot be guaranteed that an intrusion rootkit
> doesn't compromise the md5sum files themselves. Using the installed
> *.md5sum files to check the in
Eduard Bloch <[EMAIL PROTECTED]> writes:
> Moin Goswin!
> Goswin von Brederlow schrieb am Tuesday, den 02. December 2003:
>
> > > I would like to see the following things happen:
> > >
> > > - current md5sums file in control.tar.gz should contain
> > >checksums of really all files
> > > -
Moin Goswin!
Goswin von Brederlow schrieb am Tuesday, den 02. December 2003:
> > I would like to see the following things happen:
> >
> > - current md5sums file in control.tar.gz should contain
> >checksums of really all files
> > - a signature of the md5sums file should be stored either in
christophe barbe <[EMAIL PROTECTED]> writes:
> On Mon, Dec 01, 2003 at 09:11:52PM +0100, Andreas Barth wrote:
> > > Before mass bug-filling, it would be necessary to make it mandatory
> > > which unfortunately is not the case right now afaik.
> >
> > Severity: wishlist
> > Where is the problem?
Eduard Bloch <[EMAIL PROTECTED]> writes:
> #include
> John Goerzen schrieb am Monday, den 01. December 2003:
>
> > Debsigs generates its signature by effectively cating the control and
> > data components of the ar file together, running that through gpg, and
> > storing the resulting signature
On Mon, Dec 01, 2003 at 08:24:09PM +0100, Thomas Viehmann wrote:
> Michael Ablassmeier wrote:
> > IMHO Lintian should also check if "dh_md5sums" is called and
> > print at least a warning if this is not the case.
> In principle, I argree, but maybe it's better to check for the presence
> of an md5s
On Mon, Dec 01, 2003 at 09:11:52PM +0100, Andreas Barth wrote:
> > Before mass bug-filling, it would be necessary to make it mandatory
> > which unfortunately is not the case right now afaik.
>
> Severity: wishlist
> Where is the problem?
Waste of time ?
If it's not mandatory, a full coverage wi
On Mon, 01 Dec 2003, Thomas Viehmann wrote:
> Henrique de Moraes Holschuh wrote:
> > On Mon, 01 Dec 2003, christophe barbe wrote:
> >
> >>Before mass bug-filling, it would be necessary to make it mandatory
> >>which unfortunately is not the case right now afaik.
> >
> >
> > Deployment plan for
Henrique de Moraes Holschuh wrote:
> On Mon, 01 Dec 2003, christophe barbe wrote:
>
>>Before mass bug-filling, it would be necessary to make it mandatory
>>which unfortunately is not the case right now afaik.
>
>
> Deployment plan for md5sums everywhere:
At ~600 affected source packages, this s
On Mon, Dec 01, 2003 at 06:08:28PM +0100, Eduard Bloch wrote:
> Kinda off-topic but nowhere in the discussion the question of checking
> already installed files was adressed and it should be asked:
md5sums and signatures are most useful in the context of installation.
Post-installation, you cannot
* christophe barbe ([EMAIL PROTECTED]) [031201 20:10]:
> On Mon, Dec 01, 2003 at 07:43:17PM +0100, Michael Ablassmeier wrote:
> > Unfortunately many Maintainers do not use "dh_md5sums" to ship
> > an .md5sums File in their Package(s). This makes it harder to
> > check the already installed Files on
On Mon, 01 Dec 2003, christophe barbe wrote:
> Before mass bug-filling, it would be necessary to make it mandatory
> which unfortunately is not the case right now afaik.
Deployment plan for md5sums everywhere:
1. List packages that do not have a md5sum included.
For every package in the list:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Mon, Dec 01, 2003 at 01:56:09PM -0500, christophe barbe wrote:
> Before mass bug-filling, it would be necessary to make it mandatory
> which unfortunately is not the case right now afaik.
No, it is not mandatory. However, it would be a nice Wishli
Michael Ablassmeier wrote:
> IMHO Lintian should also check if "dh_md5sums" is called and
> print at least a warning if this is not the case.
In principle, I argree, but maybe it's better to check for the presence
of an md5sums file than to "force" (haha) people who don't like it to do
this.
Attach
On Mon, Dec 01, 2003 at 07:43:17PM +0100, Michael Ablassmeier wrote:
> Unfortunately many Maintainers do not use "dh_md5sums" to ship
> an .md5sums File in their Package(s). This makes it harder to
> check the already installed Files on a Debian installation.
>
> I think, at least Packages like "d
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
hi Eduard,
On Mon, Dec 01, 2003 at 06:08:28PM +0100, Eduard Bloch wrote:
> - current md5sums file in control.tar.gz should contain
>checksums of really all files
Unfortunately many Maintainers do not use "dh_md5sums" to ship
an .md5sums File in
74 matches
Mail list logo
