l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
April 21: Google Glass
Next Installfest:
TBD
Latest News:
Mar. 18: Google Glass at LUGOD's April meeting
Page last updated:
2002 Oct 08 20:17

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] possible rooted system / checking md5sum on debian
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] possible rooted system / checking md5sum on debian



Quoting msimons@moria.simons-clan.com (msimons@moria.simons-clan.com):

> If you are after checking the package gnupg signatures and tracing
> down to the binaries that you have installed to verify that you have
> the correct things... well that isn't implemented yet.

Yes, it is.

Each package's md5sum is in the Release file you retrieve when you do
"apt-get update".  There's a Release.gpg in the same directory
containing the hash value of signing Release with the master package
program's gpg key.  

Either Joey Hess or Wichert Ackerman (I forget which) posted a script to
autocheck the key hash, or you could write your own.  But this check
would be far less meaningful than you might assume, for reasons
including those I describe in
http://linuxmafia.com/~rick/linux-info/debian-package-signing .

> Hopefully next Debian release... see the following url for more
> details.
> 
> http://www.linuxsecurity.com/docs/harden-doc/html/securing-debian-howto/ch7.en.html

Nope.

That explanation is incomplete (possibly just outdated) in failing to
mention the Release.gpg hash, which piece completes the scheme -- for
what it's worth.

I fear the spectre of Khendon's Law, so I won't cite the other reasons
why the scheme is about as worthless as your average RPM
whistle-in-the-dark counterpart.  But you can find them at the cited
URL.

-- 
Cheers,              "It ain't so much the things we don't know that get us
Rick Moen            in trouble.  It's the things we know that ain't so."
rick@linuxmafia.com             -- Artemus Ward (1834-67), U.S. journalist
_______________________________________________
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech



LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
EDGE Tech Corp.
For donating some give-aways for our meetings.