Chris Leishman wrote: > What I propose is to extend the security of Debian. I do not propose an > "ultimate security solution", but simply a method to increase the security > debian offers to users. The proposal is as follows: > > > Each package can contain a DEBIAN/md5sums file. This is normally saved > into /var/lib/dpkg/info on the local machine. What I propose is to > instead extract this information during dinstall, and save is to a > <package>-<version>.md5sums file, to live alongside the .deb on the debian > ftp server. (Alternatively, they could be collected into 1 file, like > the package list).
I'm not tracking this proposal on the weekly policy summary because as far as I can see, it has nothing to do with policy per se, it's stricly a debian mirror thing. If people disagree with me on this, I'll be happy to track it. > A version of debsums could then be implemented to connect to the debian > server (or trusted mirror) and use these .md5sums files to verify the > majority of the files on a system. The debsums utility could also be > moved to a boot disk, to guarantee secure operation given a potentially > damaged machine. It's worth noting (as I have before) that Jim Dennis (some may know his from linux gazette as the "answer guy" was/is/may be working on something similar. His idea was to simply compare a debian cd against the install system, checking md5sums. It gains you about the same things. -- see shy jo
