Hi, In case anyone wonders about the status of replacing md5sums with something stronger _in_ the binary packages, this should be considered to be suspended until the next development cycle. (at least, from my PoV).
It have been pointed out that those current checksum aren't sufficient to validate that an installed package is secure (quoting Joey Hess: "there are innumerable ways for an attacker to inject bad behavior/backdoors onto a system without touching binaries originating from dpkg."[1] and "it's also fairly easy to modify a file in /etc to provide a backdoor" ...) Therefore, it should be clear that there is no urgency in replacing DEBIAN/md5sums as they are "useful for corruption and local (benign) modification checksumming." (quoting Russ Allbery[2]). The initial proposal to replace md5sum with ${better}sum: http://wiki.debian.org/Sha256sumsInPackages should be enhanced with further meta-data. A very early draft is: http://wiki.debian.org/Proposals/BinaryPackageDescriptor Regards, Franklin On Thu, 2010-03-11 at 00:44 +0100, Frank Lin PIAT wrote: > On Wed, 2010-03-03 at 03:06 +0100, Wouter Verhelst wrote: > > > > I must say I was somewhat surprised by these numbers. Out of 2483 > > packages installed on my laptop, 2340 install md5sums. While that > > might've been useful at some point, I don't think it still is. > > Hi all, > > Can you think of any sensible reason for not including md5sums of > control files, especially the {pre,post}{inst,rm} scripts ? > > In the shasum file, those files could be either: > 1. inserted, with the patch rewritten to match their expected > location on the target system. > or > 2. inserted as a *comment* in the shasum file, like: > #68b329da9893e34099c7d8ad5cb9c940 CONTROL.TAR:postinst [1] http://lists.debian.org/msgid-search/20100308225913.ga25...@gnu.kitenet.net [2] http://lists.debian.org/msgid-search/87wrxmbkdn....@windlord.stanford.edu -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1269982677.3574.252.ca...@solid.paris.klabs.be