[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

md5 package summaries on ftp server (was Re: System integrity)

Below is part of a proposal I put up a few days ago.  I have since
produced a very short perl script (based on dh_md5sum) that should
produce a .debmd5.gz for a given .deb file.  It is attached, and should
be exec'd as "find -name *.deb -exec debmd5 {} \;" in the distro tree.

Would people like to comment on wether this is a good proposal or not?
Especially the ftp maintainers ;)

Thanks,


Chris Leishman




----- Forwarded message from Chris Leishman <masklin@debian.org> -----

<snip>

What I propose is to extend the security of Debian.  I do not propose an
"ultimate security solution", but simply a method to increase the security
debian offers to users.  The proposal is as follows:


  Each package can contain a DEBIAN/md5sums file.  This is normally saved
  into /var/lib/dpkg/info on the local machine.  What I propose is to
  instead extract this information during dinstall, and save is to a
  <package>-<version>.md5sums file, to live alongside the .deb on the debian
  ftp server.  (Alternatively, they could be collected into 1 file, like
  the package list).

  A version of debsums could then be implemented to connect to the debian
  server (or trusted mirror) and use these .md5sums files to verify the
  majority of the files on a system.  The debsums utility could also be
  moved to a boot disk, to guarantee secure operation given a potentially
  damaged machine.

<snip>


-- 
----------------------------------------------------------------------
       As a computer, I find your faith in technology amusing.
----------------------------------------------------------------------
Reply with subject 'request key' for PGP public key.  KeyID 0xA9E087D5

#!/usr/bin/perl -w

$ddeb = "/usr/bin/dpkg-deb";

$package = $ARGV[0];
$output=$package."md5.gz";
$tempout=$package."md5";

if (!system("$ddeb -I $package md5sums 2>/dev/null > $tempout"))
{
	system("gzip -c $tempout > $output");
}
else
{
	my $exclude="";
	open (CONFF, "$ddeb -I $package conffiles 2>/dev/null |")
		|| die "Couldn't run $ddeb: $!\n";
	while(<CONFF>)
	{
		chomp;
		s/^\///;
		$exclude .= "! -path \"$_\" ";
	}
	close CONFF;

	system("$ddeb --extract $package .debmd5temp$$; (cd .debmd5temp$$; find * -type f $exclude -print0 | xargs -r0 md5sum | gzip ) > $output; rm -rf .debmd5temp$$");
	$output=$package."md5.gz";
}

unlink $tempout;

Attachment: pgpWv2OYNk6mZ.pgp
Description: PGP signature

Reply to: