Bug#223772: general: no md5sums for many packages (e.g. bc)
On 18-Dec-03, 02:43 (CST), [EMAIL PROTECTED] wrote: > Do you want to tell us that the absence of the md5sums-files (those which > contain md5sums for every file in the package, and they _are_ absent for a > number of packages) should not be considered a bug, even if debsums > complains about this? Amazingly enough, debsums is not policy. Lack of the md5sums file might be a wishlist bug. If you file such a bug, and the maintainer closes it, then the decision has been made for that particular package. If you've been paying attention, many of us don't believe that including per-file md5sums in packages provides any real value. Others disagree, as sometimes happens. As the arguments have already been made in this thread, over and over and over and over, I won't repeat them. Steve -- Steve Greenland The irony is that Bill Gates claims to be making a stable operating system and Linus Torvalds claims to be trying to take over the world. -- seen on the net
Bug#223772: general: no md5sums for many packages (e.g. bc)
> > Goswin von Brederlow <[EMAIL PROTECTED]> schrieb am > > 16.12.2003 19:15:43: > > now it is getting clearer. we are talking about different things. > > I'm talking about the md5sums files in the directory > > /var/lib/dpkg/info. You talk about the md5 sum of the whole package > > (MD5sum). so what I like to say is, that for the debian package bc > > (and many others) there is no file /var/lib/dpkg/info/bc.md5sums in > > place. this file is checked and used by the tool debsums. that is > > the thing I'm claiming about. > > I know. I'm talking about both. Do you want to tell us that the absence of the md5sums-files (those which contain md5sums for every file in the package, and they _are_ absent for a number of packages) should not be considered a bug, even if debsums complains about this?
Bug#223772: Antwort: Re: Bug#223772: general: no md5sums for many packages (e.g. bc)
Goswin von Brederlow <[EMAIL PROTECTED]> schrieb am 16.12.2003 19:15:43: now it is getting clearer. we are talking about different things. I'm talking about the md5sums files in the directory /var/lib/dpkg/info. You talk about the md5 sum of the whole package (MD5sum). so what I like to say is, that for the debian package bc (and many others) there is no file /var/lib/dpkg/info/bc.md5sums in place. this file is checked and used by the tool debsums. that is the thing I'm claiming about. regards Werner > [EMAIL PROTECTED] writes: > > > goswin, > > > [EMAIL PROTECTED] writes: > > > > > > > Subject: general: no md5sums for many packages (e.g. bc) > > > > Package: general > > > > Version: N/A; reported 2003-12-12 > > > > Severity: normal > > > > Tags: security > > > > > > Every package has a md5sum in the Package file. > > the answer is not correct. pls see as an example the package bc with version > > 1.06-8 or bzip2 version 1.0.2-1, > > Package: bc > Version: 1.06-12 > MD5sum: 9e9945dd5b84b14658c179c2b04c7b89 > > _EVERY_ deb has a md5sum in the Packages file. > > > > Some packages have a useless and space wasting md5sums file inside the > > > package. Due to its uselessness the existance is rather a bug than its > > > omission. > > i don't understand your comment above. why is the md5sums file useless and > > space wasting especially in terms of security? until now, I was of the > > opinion, that the md5sum gives me the guarantee that a debian package is not > > penetrated before installation and further - after having the packages > > installed on a machine - the md5sum files give me the confidence that the > > debian binaries are correct and consistent. > > Any attacker would surely change the md5sums file along with changing > the actual files. Nothing guards againt the md5sums file getting > changed intentionally or accidentally. > > Only the global md5sum in the Packages file says the file got not > changed since, well, since the Packages file was generated. Since > nothing checks the Release.gpg signature (wihtout apt-secure > installed) thats not much more secure either. But you can make sure > its not changed since ftp-master.debian.org generated the file. > > MfG > Goswin
Bug#223772: Antwort: Re: Bug#223772: general: no md5sums for many packages (e.g. bc)
[EMAIL PROTECTED] writes: > Goswin von Brederlow <[EMAIL PROTECTED]> schrieb am > 16.12.2003 19:15:43: > now it is getting clearer. we are talking about different things. > I'm talking about the md5sums files in the directory > /var/lib/dpkg/info. You talk about the md5 sum of the whole package > (MD5sum). so what I like to say is, that for the debian package bc > (and many others) there is no file /var/lib/dpkg/info/bc.md5sums in > place. this file is checked and used by the tool debsums. that is > the thing I'm claiming about. I know. I'm talking about both. > regards Werner > > [EMAIL PROTECTED] writes: > > > > > goswin, > > > > [EMAIL PROTECTED] writes: > > > > > > > > > Subject: general: no md5sums for many packages (e.g. bc) > > > > > Package: general > > > > > Version: N/A; reported 2003-12-12 > > > > > Severity: normal > > > > > Tags: security > > > > > > > > Every package has a md5sum in the Package file. > > > the answer is not correct. pls see as an example the package bc with > version > > > 1.06-8 or bzip2 version 1.0.2-1, > > > > Package: bc > > Version: 1.06-12 > > MD5sum: 9e9945dd5b84b14658c179c2b04c7b89 > > > > _EVERY_ deb has a md5sum in the Packages file. > > > > > > Some packages have a useless and space wasting md5sums file inside the > > > > package. Due to its uselessness the existance is rather a bug than its > > > > omission. > > > i don't understand your comment above. why is the md5sums file useless and > > > space wasting especially in terms of security? until now, I was of the > > > opinion, that the md5sum gives me the guarantee that a debian package is > not > > > penetrated before installation and further - after having the packages > > > installed on a machine - the md5sum files give me the confidence that the > > > debian binaries are correct and consistent. > > > > Any attacker would surely change the md5sums file along with changing > > the actual files. Nothing guards againt the md5sums file getting > > changed intentionally or accidentally. > > > > Only the global md5sum in the Packages file says the file got not > > changed since, well, since the Packages file was generated. Since > > nothing checks the Release.gpg signature (wihtout apt-secure > > installed) thats not much more secure either. But you can make sure > > its not changed since ftp-master.debian.org generated the file. > > > > MfG > > Goswin MfG Goswin
Re: Bug#223772: general: no md5sums for many packages (e.g. bc)
On Tuesday 16 December 2003 20:15, Goswin von Brederlow wrote: --cut-- > > i don't understand your comment above. why is the md5sums file useless > > and space wasting especially in terms of security? until now, I was of > > the opinion, that the md5sum gives me the guarantee that a debian package > > is not penetrated before installation and further - after having the > > packages installed on a machine - the md5sum files give me the confidence > > that the debian binaries are correct and consistent. > > Any attacker would surely change the md5sums file along with changing > the actual files. Nothing guards againt the md5sums file getting > changed intentionally or accidentally. That's true because everyone could use md5sum to generate the sum of arbitrary file, but just one person has access to his/her private key to sing with. > Only the global md5sum in the Packages file says the file got not > changed since, well, since the Packages file was generated. Since > nothing checks the Release.gpg signature (wihtout apt-secure > installed) thats not much more secure either. But you can make sure > its not changed since ftp-master.debian.org generated the file. So what is the plan from now on: 1. integrate only apt-secute patch into main apt - to complete the chain of trust via vendors.list. 2. accept dpkg-sig package recently introduced - to create and verify signatures on .deb-files 3. do both Note that implementing just 1. would not suffice since instalations via dpkg -i will not check the signatures. -- pub 4096R/0E4BD0AB 2003-03-18 1AE7 7C66 0A26 5BFF DF22 5D55 1C57 0C89 0E4B D0AB
Bug#223772: general: no md5sums for many packages (e.g. bc)
[EMAIL PROTECTED] writes: > goswin, > > [EMAIL PROTECTED] writes: > > > > > Subject: general: no md5sums for many packages (e.g. bc) > > > Package: general > > > Version: N/A; reported 2003-12-12 > > > Severity: normal > > > Tags: security > > > > Every package has a md5sum in the Package file. > the answer is not correct. pls see as an example the package bc with version > 1.06-8 or bzip2 version 1.0.2-1, Package: bc Version: 1.06-12 MD5sum: 9e9945dd5b84b14658c179c2b04c7b89 _EVERY_ deb has a md5sum in the Packages file. > > Some packages have a useless and space wasting md5sums file inside the > > package. Due to its uselessness the existance is rather a bug than its > > omission. > i don't understand your comment above. why is the md5sums file useless and > space wasting especially in terms of security? until now, I was of the > opinion, that the md5sum gives me the guarantee that a debian package is not > penetrated before installation and further - after having the packages > installed on a machine - the md5sum files give me the confidence that the > debian binaries are correct and consistent. Any attacker would surely change the md5sums file along with changing the actual files. Nothing guards againt the md5sums file getting changed intentionally or accidentally. Only the global md5sum in the Packages file says the file got not changed since, well, since the Packages file was generated. Since nothing checks the Release.gpg signature (wihtout apt-secure installed) thats not much more secure either. But you can make sure its not changed since ftp-master.debian.org generated the file. MfG Goswin
Re: Bug#223772: general: no md5sums for many packages (e.g. bc)
Thomas Viehmann <[EMAIL PROTECTED]> writes: >> The md5sum files inside the package as they are now can be generated >> at install time by anyone who wishes to have them. Security wise they >> are useless and for accidental corruption they are redundant (since >> they can be generated at install time). >> >> Thus they just waste space and bandwith. > A lot more and larger things could be generated at install time. > Yeah, let's switch to a source-based distro!!!1 SCNR, Andy -- Andreas Rottmann | [EMAIL PROTECTED] | [EMAIL PROTECTED] | [EMAIL PROTECTED] http://yi.org/rotty | GnuPG Key: http://yi.org/rotty/gpg.asc Fingerprint | DFB4 4EB4 78A4 5EEE 6219 F228 F92F CFC5 01FD 5B62 It's *GNU*/Linux dammit!
Re: Bug#223772: general: no md5sums for many packages (e.g. bc)
> The md5sum files inside the package as they are now can be generated > at install time by anyone who wishes to have them. Security wise they > are useless and for accidental corruption they are redundant (since > they can be generated at install time). > > Thus they just waste space and bandwith. A lot more and larger things could be generated at install time. They do save time. Also, they can detect corruption during installation after installation. Regards T. pgpuiRBoYP0u9.pgp Description: PGP signature
Re: Bug#223772: general: no md5sums for many packages (e.g. bc)
Scripsit [EMAIL PROTECTED] > why is the md5sums file useless and space wasting especially in > terms of security? until now, I was of the opinion, that the md5sum > gives me the guarantee that a debian package is not penetrated > before installation No, that's what the checksum of the entire .deb file in the Packages file is there for. An attacker who can tamper with /usr/bin/foo within the .deb can just as easily tamper with the md5sums file within the .deb. > and further - after having the packages installed on a machine - the > md5sum files give me the confidence that the debian binaries are > correct and consistent. No. An attacker who changes the binaries can just as easily change the md5sum files stored in /var/lib/dpkg/info. If you go to a trusted copy of the .deb file for verifying your binaries, you have the original binaries right there, and do not need precomputed checksums for comparing them bit-for-bit with what's on your disk. It has been argued on debian-devel (read the thread!) that the md5sums files can be handy to have for detection of non-malicious random acts of God. But the sense of *security* gained by having the .deb install a set of checksums on the same machine as the package itself is false. -- Henning Makholm "Det er du nok fandens ene om at mene. For det ligger i Australien!"
Bug#223772: general: no md5sums for many packages (e.g. bc)
goswin, > [EMAIL PROTECTED] writes: > > > Subject: general: no md5sums for many packages (e.g. bc) > > Package: general > > Version: N/A; reported 2003-12-12 > > Severity: normal > > Tags: security > > Every package has a md5sum in the Package file. the answer is not correct. pls see as an example the package bc with version 1.06-8 or bzip2 version 1.0.2-1, > > Some packages have a useless and space wasting md5sums file inside the > package. Due to its uselessness the existance is rather a bug than its > omission. i don't understand your comment above. why is the md5sums file useless and space wasting especially in terms of security? until now, I was of the opinion, that the md5sum gives me the guarantee that a debian package is not penetrated before installation and further - after having the packages installed on a machine - the md5sum files give me the confidence that the debian binaries are correct and consistent. > > Please close this bug, read the threads on debian-devel about this and > if you still want md5sum files help making actually usefull ones. > > MfG > Goswin expecting your answer. Mit freundlichen Grüßen / Best regards Dipl.-Ing. Werner THÖNI Allgemeines Rechenzentrum GmbH Technischer Bereich Leiter Systemgruppe UNIX A-6020 Innsbruck, Tschamlerstraße 2 Tel.: +43 / (0)50400-0 Fax: +43 / (0)50400-1382 e-Mail: [EMAIL PROTECTED] http://www.arz.co.at
Re: Bug#223772: general: no md5sums for many packages (e.g. bc)
> Re: Goswin von Brederlow in <[EMAIL PROTECTED]>
Why not set it so they are generated when a package is created?
Am I understanding correctly?
And then they could b gpg signed by the developer???
This adds one more check to the security of the system.
I used debsums just a few days to determine if a package was corrupt,
quite useful.
Is this something that would require maintainers to rebuild their
packages, or could the build machines do it?
--Luke
>
> They are not generated by apt/dpkg, so few people will actually build
> them. Since accidental corruption only occurs accidentally, it would be
> very convenient if the md5sums were already there if something crashes.
> Besides that, if the md5sums are in the package, you can check whether
> the installation went fine.
>
> I don't see where a text file with one line per file installed wastes
> more resources than {pick anything for a package you don't need, e.g.
> 95% of translated manpages, etc.}.
>
> Christoph
> Christoph Berg <[EMAIL PROTECTED]>, http://www.df7cb.de/
> Wohnheim D, 2405, Universität des Saarlandes, 0681/9657944
>
Re: Bug#223772: general: no md5sums for many packages (e.g. bc)
Re: Goswin von Brederlow in <[EMAIL PROTECTED]>
> The md5sum files inside the package as they are now can be generated
> at install time by anyone who wishes to have them. Security wise they
> are useless and for accidental corruption they are redundant (since
> they can be generated at install time).
They are not generated by apt/dpkg, so few people will actually build
them. Since accidental corruption only occurs accidentally, it would be
very convenient if the md5sums were already there if something crashes.
Besides that, if the md5sums are in the package, you can check whether
the installation went fine.
> Thus they just waste space and bandwith.
I don't see where a text file with one line per file installed wastes
more resources than {pick anything for a package you don't need, e.g.
95% of translated manpages, etc.}.
Christoph
--
Christoph Berg <[EMAIL PROTECTED]>, http://www.df7cb.de/
Wohnheim D, 2405, Universität des Saarlandes, 0681/9657944
signature.asc
Description: Digital signature
Re: Bug#223772: general: no md5sums for many packages (e.g. bc)
David Weinehall <[EMAIL PROTECTED]> writes:
> On Sun, Dec 14, 2003 at 03:30:46PM +0100, Bernhard R. Link wrote:
> > * Bruno Rodrigues <[EMAIL PROTECTED]> [031213 19:50]:
> > > Goswin von Brederlow <[EMAIL PROTECTED]> wrote:
> > > > Some packages have a useless and space wasting md5sums file inside the
> > > > package. Due to its uselessness the existance is rather a bug than its
> > > > omission.
> > > >
> > > > Please close this bug, read the threads on debian-devel about this and
> > > > if you still want md5sum files help making actually usefull ones.
> > >
> > > I guess he means md5sum for files inside package, as in:
> >
> > I think Goswin knows what files are meant here. But I really do not
> > understand, why he is trolling against them. (Espcially with such
> > arguments, that I have an hard time to suppress my wish to use the
> > same and requesting the removal of all .desktop files. ("I do not need
> > them, they are a waste of space and bandwidth and anyone using them is
> > stupid."))
The md5sum files inside the package as they are now can be generated
at install time by anyone who wishes to have them. Security wise they
are useless and for accidental corruption they are redundant (since
they can be generated at install time).
Thus they just waste space and bandwith.
MfG
Goswin
Re: Bug#223772: general: no md5sums for many packages (e.g. bc)
>My point exactly, even though I tried to make it through irony. Which enhances your point for those who understand but might get your voice ignored for those who don't. Maybe I'm just overcautious because I've just experienced a bad case of "vocal minority (1.5%) get's their way because they're more vocal" this weekend. Cheers T.
Re: Bug#223772: general: no md5sums for many packages (e.g. bc)
On Sun, Dec 14, 2003 at 07:24:40PM +0100, Thomas Viehmann wrote: > David Weinehall wrote: > > And documentation? Hell, use the source-code. > Source code? Who needs source code? > > Seriously: I've had some problems with file system corruption every now > and then. The md5sums are a nice way to check whether the basic binaries > on the disk are still what I'd like them to be without having to have > install media at hand. > I'd agree that there is no security implication in having them or not, > but there's features besides security. My point exactly, even though I tried to make it through irony. /David -- /) David Weinehall <[EMAIL PROTECTED]> /) Northern lights wander (\ // Maintainer of the v2.0 kernel // Dance across the winter sky // \) http://www.acc.umu.se/~tao/(/ Full colour fire (/
Re: Bug#223772: general: no md5sums for many packages (e.g. bc)
David Weinehall wrote: > And documentation? Hell, use the source-code. Source code? Who needs source code? Seriously: I've had some problems with file system corruption every now and then. The md5sums are a nice way to check whether the basic binaries on the disk are still what I'd like them to be without having to have install media at hand. I'd agree that there is no security implication in having them or not, but there's features besides security. Cheers T. pgpnr1rN2MwIQ.pgp Description: PGP signature
Re: Bug#223772: general: no md5sums for many packages (e.g. bc)
On Sun, Dec 14, 2003 at 03:30:46PM +0100, Bernhard R. Link wrote:
> * Bruno Rodrigues <[EMAIL PROTECTED]> [031213 19:50]:
> > Goswin von Brederlow <[EMAIL PROTECTED]> wrote:
> > > Some packages have a useless and space wasting md5sums file inside the
> > > package. Due to its uselessness the existance is rather a bug than its
> > > omission.
> > >
> > > Please close this bug, read the threads on debian-devel about this and
> > > if you still want md5sum files help making actually usefull ones.
> >
> > I guess he means md5sum for files inside package, as in:
>
> I think Goswin knows what files are meant here. But I really do not
> understand, why he is trolling against them. (Espcially with such
> arguments, that I have an hard time to suppress my wish to use the
> same and requesting the removal of all .desktop files. ("I do not need
> them, they are a waste of space and bandwidth and anyone using them is
> stupid."))
Yeah, and I'll request removal of changelogs; there's always diff...
And documentation? Hell, use the source-code.
/David
--
/) David Weinehall <[EMAIL PROTECTED]> /) Northern lights wander (\
// Maintainer of the v2.0 kernel // Dance across the winter sky //
\) http://www.acc.umu.se/~tao/(/ Full colour fire (/
Re: Bug#223772: general: no md5sums for many packages (e.g. bc)
* Bruno Rodrigues <[EMAIL PROTECTED]> [031213 19:50]:
> Goswin von Brederlow <[EMAIL PROTECTED]> wrote:
> > Some packages have a useless and space wasting md5sums file inside the
> > package. Due to its uselessness the existance is rather a bug than its
> > omission.
> >
> > Please close this bug, read the threads on debian-devel about this and
> > if you still want md5sum files help making actually usefull ones.
>
> I guess he means md5sum for files inside package, as in:
I think Goswin knows what files are meant here. But I really do not
understand, why he is trolling against them. (Espcially with such
arguments, that I have an hard time to suppress my wish to use the
same and requesting the removal of all .desktop files. ("I do not need
them, they are a waste of space and bandwidth and anyone using them is
stupid."))
Hochachtungsvoll,
Bernhard R. Link
--
Sendmail is like emacs: A nice operating system, but missing
an editor and a MTA.
Re: Bug#223772: general: no md5sums for many packages (e.g. bc)
Goswin von Brederlow <[EMAIL PROTECTED]> wrote: > [EMAIL PROTECTED] writes: > >> Subject: general: no md5sums for many packages (e.g. bc) >> Package: general >> Version: N/A; reported 2003-12-12 >> Severity: normal >> Tags: security > > Every package has a md5sum in the Package file. > > Some packages have a useless and space wasting md5sums file inside the > package. Due to its uselessness the existance is rather a bug than its > omission. > > Please close this bug, read the threads on debian-devel about this and > if you still want md5sum files help making actually usefull ones. I guess he means md5sum for files inside package, as in: [EMAIL PROTECTED]:~$ debsums bc debsums: no md5sums for bc [EMAIL PROTECTED]:~$ debsums debsums usr/bin/debsums OK usr/sbin/debsums_gen OK (...) [EMAIL PROTECTED]:/var/lib/dpkg/info$ ls *.list | wc -l 1135 [EMAIL PROTECTED]:/var/lib/dpkg/info$ ls *.md5sums | wc -l 1042 Looking at the source: CHROOT/[EMAIL PROTECTED]:~/code/bc/bc-1.06$ grep md5sums debian/rules # dh_md5sums -pbc # dh_md5sums -pdc It would be nice to fix those packages to enable a simple system testing without requiring installing something like tripwire.
Processed: Re: Bug#223772: general: no md5sums for many packages (e.g. bc)
Processing commands for [EMAIL PROTECTED]: > tags 223772 - security Bug#223772: general: no md5sums for many packages (e.g. bc) Tags were: security Tags removed: security > thanks Stopping processing here. Please contact me if you need assistance. Debian bug tracking system administrator (administrator, Debian Bugs database)
Bug#223772: general: no md5sums for many packages (e.g. bc)
[EMAIL PROTECTED] writes: > Subject: general: no md5sums for many packages (e.g. bc) > Package: general > Version: N/A; reported 2003-12-12 > Severity: normal > Tags: security Every package has a md5sum in the Package file. Some packages have a useless and space wasting md5sums file inside the package. Due to its uselessness the existance is rather a bug than its omission. Please close this bug, read the threads on debian-devel about this and if you still want md5sum files help making actually usefull ones. MfG Goswin
Bug#223772: general: no md5sums for many packages (e.g. bc)
Subject: general: no md5sums for many packages (e.g. bc) Package: general Version: N/A; reported 2003-12-12 Severity: normal Tags: security -- System Information Debian Release: 3.0 Architecture: i386 Kernel: Linux donald 2.4.18-xfs-1.1 #1 Tue Apr 8 09:10:07 CEST 2003 i686 Locale: LANG=C, LC_CTYPE=C Mit freundlichen Grüßen / Best regards Dipl.-Ing. Werner THÖNI Allgemeines Rechenzentrum GmbH Technischer Bereich Leiter Systemgruppe UNIX A-6020 Innsbruck, Tschamlerstraße 2 Tel.: +43 / (0)50400-0 Fax: +43 / (0)50400-1382 e-Mail: [EMAIL PROTECTED] http://www.arz.co.at
