Below is part of a proposal I put up a few days ago. I have since produced a very short perl script (based on dh_md5sum) that should produce a .debmd5.gz for a given .deb file. It is attached, and should be exec'd as "find -name *.deb -exec debmd5 {} \;" in the distro tree. Would people like to comment on wether this is a good proposal or not? Especially the ftp maintainers ;) Thanks, Chris Leishman ----- Forwarded message from Chris Leishman <masklin@debian.org> ----- <snip> What I propose is to extend the security of Debian. I do not propose an "ultimate security solution", but simply a method to increase the security debian offers to users. The proposal is as follows: Each package can contain a DEBIAN/md5sums file. This is normally saved into /var/lib/dpkg/info on the local machine. What I propose is to instead extract this information during dinstall, and save is to a <package>-<version>.md5sums file, to live alongside the .deb on the debian ftp server. (Alternatively, they could be collected into 1 file, like the package list). A version of debsums could then be implemented to connect to the debian server (or trusted mirror) and use these .md5sums files to verify the majority of the files on a system. The debsums utility could also be moved to a boot disk, to guarantee secure operation given a potentially damaged machine. <snip> -- ---------------------------------------------------------------------- As a computer, I find your faith in technology amusing. ---------------------------------------------------------------------- Reply with subject 'request key' for PGP public key. KeyID 0xA9E087D5
#!/usr/bin/perl -w $ddeb = "/usr/bin/dpkg-deb"; $package = $ARGV[0]; $output=$package."md5.gz"; $tempout=$package."md5"; if (!system("$ddeb -I $package md5sums 2>/dev/null > $tempout")) { system("gzip -c $tempout > $output"); } else { my $exclude=""; open (CONFF, "$ddeb -I $package conffiles 2>/dev/null |") || die "Couldn't run $ddeb: $!\n"; while(<CONFF>) { chomp; s/^\///; $exclude .= "! -path \"$_\" "; } close CONFF; system("$ddeb --extract $package .debmd5temp$$; (cd .debmd5temp$$; find * -type f $exclude -print0 | xargs -r0 md5sum | gzip ) > $output; rm -rf .debmd5temp$$"); $output=$package."md5.gz"; } unlink $tempout;
Attachment:
pgpWv2OYNk6mZ.pgp
Description: PGP signature