l i n u x - u s e r s - g r o u p - o f - d a v i s
Next Meeting:
July 7: Social gathering
Next Installfest:
Latest News:
Jun. 14: June LUGOD meeting cancelled
Page last updated:
2002 Oct 08 20:17

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] possible rooted system / checking md5sum on debian
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] possible rooted system / checking md5sum on debian

Quoting msimons@moria.simons-clan.com (msimons@moria.simons-clan.com):

> If you are after checking the package gnupg signatures and tracing
> down to the binaries that you have installed to verify that you have
> the correct things... well that isn't implemented yet.

Yes, it is.

Each package's md5sum is in the Release file you retrieve when you do
"apt-get update".  There's a Release.gpg in the same directory
containing the hash value of signing Release with the master package
program's gpg key.  

Either Joey Hess or Wichert Ackerman (I forget which) posted a script to
autocheck the key hash, or you could write your own.  But this check
would be far less meaningful than you might assume, for reasons
including those I describe in
http://linuxmafia.com/~rick/linux-info/debian-package-signing .

> Hopefully next Debian release... see the following url for more
> details.
> http://www.linuxsecurity.com/docs/harden-doc/html/securing-debian-howto/ch7.en.html


That explanation is incomplete (possibly just outdated) in failing to
mention the Release.gpg hash, which piece completes the scheme -- for
what it's worth.

I fear the spectre of Khendon's Law, so I won't cite the other reasons
why the scheme is about as worthless as your average RPM
whistle-in-the-dark counterpart.  But you can find them at the cited

Cheers,              "It ain't so much the things we don't know that get us
Rick Moen            in trouble.  It's the things we know that ain't so."
rick@linuxmafia.com             -- Artemus Ward (1834-67), U.S. journalist
vox-tech mailing list

LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
Sunset Systems
Who graciously hosts our website & mailing lists!