On Thu, 7 Feb 2002, Manoj Srivastava wrote: > If you have a broken dpkg/md5sum on the machine, the only way > to detect that after booting from known secure media (like a cdrom > you have audited) is if the hash file were generated (and known not > to be tampered because if a cryptographic signature) on another > machine.
This has all the same problems as signed .debs and brings in no signed release goodness so *insert the usual complaint about signed .debs accountability, Debian and blah* To get this level of security I recommend we first dispose of .md5sums and create instead a .filelist info file - this would contain hash, permissions, symlink, device major/minor/etc data. Then, we add a new field to the packages file which would be called 'FileList-SHA1' which is.. the SHA1 of this filelist. It is now possible to answer the question 'is this machine Debian 2.1r5 and how many packages have a questionable origin', which is really what you are talking about when you say you want to validate an untrusted machine. Remmber you cannot trust the status file and the .md5sum file gives zippo insight into what version of the package you have installed. People doing .deb sigs can include a signature of the filelist file, the ftp maintainers already sign the package file. You can or can not include the filelist file - I see no reason too, it just wastes space. apt-ftparchive can easially generate the new field by internally computing the filelist file and hashing it in exactly the same manner that dpkg would use to write the file. (this is a virtually free operation, and nearly all the code already exists.) Interestingly, if we choose the filelist format wisely it is not necessary to store the filelist file at all. A client could compute the filelist data directly from the on-disk state of the package. If it matches the hash then yay otherwise the .deb can be fetched and detailed diff done. Even more interestingly, all we need to do is change apt-ftparchive and *all existing systems* are immediately checkable without any upgrades. This is surely better, yes? Jason
