[ILUG] Ximian on Debian Potato
Jerry Walsh
jerry at aardvark.ie
Thu Apr 26 12:26:25 IST 2001
> >> You are no more exposed by running the go-gnome.sh than you are
> >> by installing the packages.
>
> JW> I've used debian once - i don't like but isn't there at least
> JW> an md5 sum check done on the packages?
>
>There is, but the Packages file, wherein the checksum lives, is part
>of the same directory tree as the packages themselves. If the
>packages are compromised, so are the checksums. The md5sums are not
>an anti-tampering measure.
>
> JW> With this go-gnome.sh you pass it directly to a root shell, no
> JW> checks no nothing
>
>Same as with debs, RPMs or indeed ports from the collection.
uhm... no.
Checksums aren't just used to check if the package is damaged, they're
used to check if the contents of the file is what it should be.
If the file is damaged then it won't match, if the files been tampered with
then it won't match either.
Are you saying if you install a port/package and you see it downloads
fully, untars properly but the checksum doesn't match you'll ignore that? I
certainly wouldn't.
md5sum's are more a security measure then a method of checking if files are
complete.
As i said already the go-gnome script makes no attempt of security, that's
why i complained about it, you're more exposed to 'evil-ness' using that
script/installation method then you are using packages/ports etc.
More information about the ILUG
mailing list