debsums: no md5sums for a lot of important packages on sarge

Mon, 08 Oct 2007 00:31:05 -0700 

Dear all

During investigation of kernel panics on a Debian stable (sarge)
server I administer I installed debsums. The result of the first run
was:

blah:~# debsums -c
debsums: no md5sums for at
debsums: no md5sums for base-files
debsums: no md5sums for binutils
debsums: no md5sums for bsdutils
debsums: no md5sums for bzip2
debsums: no md5sums for console-data
debsums: no md5sums for debian-archive-keyring
debsums: no md5sums for ed
debsums: no md5sums for gnupg
debsums: no md5sums for gpgv
debsums: no md5sums for hotplug
debsums: no md5sums for initscripts
debsums: no md5sums for kernel-image-2.6.8-2-686
debsums: no md5sums for klogd
debsums: no md5sums for libbz2-1.0
debsums: no md5sums for libdb4.2
debsums: no md5sums for libdb4.3
debsums: no md5sums for libdb4.4
debsums: no md5sums for libgdbm3
debsums: no md5sums for liblockfile1
debsums: no md5sums for libncurses5
debsums: no md5sums for libncursesw5
debsums: no md5sums for libreadline4
debsums: no md5sums for make
debsums: no md5sums for mawk
debsums: no md5sums for mime-support
debsums: no md5sums for module-init-tools
debsums: no md5sums for modutils
debsums: no md5sums for mount
debsums: no md5sums for ncurses-base
debsums: no md5sums for ncurses-bin
debsums: no md5sums for netbase
debsums: no md5sums for openbsd-inetd
debsums: no md5sums for php4
debsums: no md5sums for php4-pear
debsums: no md5sums for rsync
debsums: no md5sums for squid
debsums: no md5sums for squid-common
debsums: no md5sums for ssh
debsums: no md5sums for sysklogd
debsums: no md5sums for sysv-rc
debsums: no md5sums for sysvinit
debsums: no md5sums for sysvinit-utils
debsums: no md5sums for update-inetd
debsums: no md5sums for util-linux
blah:~#

Now, I consider this is a pretty secure machine, I monitor it closely
with tripwire, it has a very tight network fingerprint, multiple
layers of authentication, latest security patches are always installed
on the day they are published etc.

So I believe the above output NOT to be the result of a breach. My
question is, is it acceptable to have so many important and widely
used packages in *stable* without MD5 checksums?

Secondly, how can one fix this on a production system? Is the
following method proposed by  Paul Gear @
http://lists.debian.org/debian-security/2005/06/msg00126.html the
best/only way?

cd /var/cache/apt/archives
apt-get --download-only --reinstall install `debsums -l`
debsums --generate=keep,nocheck *.deb

Thanks for any input

-A


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to