The debian-private mailing list leak, part 1. Volunteers have complained about Blackmail. Lynchings. Character assassination. Defamation. Cyberbullying. Volunteers who gave many years of their lives are picked out at random for cruel social experiments. The former DPL's girlfriend Molly de Blanc is given volunteers to experiment on for her crazy talks. These volunteers never consented to be used like lab rats. We don't either. debian-private can no longer be a safe space for the cabal. Let these monsters have nowhere to hide. Volunteers are not disposable. We stand with the victims.
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: are md5sums mandatory for all packages?

On Tue, Dec 16, 1997 at 11:46:29PM -0600, Manoj Srivastava wrote:
>
>	The adddition of the md5sums has come up before. Personally, I
> think the utility is limited, given the presence of tripwire, which
> goes much further to ensure the integrity of the system (For example:
> a bad guy changes /usr/sbin/foo *and* /var/lib/dpkg/info/foo.md5sum,
> you shall not be any wiser; and you can't put /var/lib/dpkg/info on a
> read only media).

Hmm, well my intention for the md5sums is a bit different.  I'd like to
use them to 1)check package integrity, and 2)check for modified
configuration files.  Tripwire is fine, and you'd still have to run tripwire.

For example.  I install the base system, and it has /etc/fstab as one of the
files.  That file gets installed and modified before tripwire gets installed,
so tripwire couldn't manage it.  This also applies to installed packages
where configuration files where modified before tripwire got a chance to
manage them.

One of the tools I eventually want to write is a system of grabbing the
configuration of a machine and storing it for later use.  For example
maybe to transfer the personality to another machine or reinstall
the OS, etc....  For this one of the more important things is keeping track
of modifed configuration files.  

I also think that some of the files in /var/lib/dpkg/info should have
the creation time of the time the package was installed.  This way you 
could tell when the package was installed, currently I couldn't find any
means to tell.

>	However, if people still feel the need to do this, then it
> should be done by dpkg --build, rather than be needlessly duplicated
> by all package rules (and possibly done incorrectly).

I agree.

>	There is no need to make this policy. Change dpkg, and it
> shall happen for all packages automagically.

I tend to think that the behaviour of dpkg should be guided by
policy, or maybe what I'm trying to say is that the policy should
dictate the ".deb" file format, and the dpkg process.  That's just
my thought.


Radu


--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-private-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .