Elmar Stellnberger: > Dear Debian-Security > > Having just released debcheckroot I wanna shortly present you my new tool: > It was originally designed as a replacement for debsums and has the following > qualities: > * full support of Debian repos reading /etc/[apt/]sources.list to fetch > checksums online > * it can check a Debian installation remotely from any Unix-like system just > requiring perl, gzip, bzip2 and tar > * it does not require a chroot into or any tools of the installation to be > checked; > debcheckroot is thus the better choice when it comes to security (chroots > may infect the freshly booted system); > The checkroot family of programs has already proven to spot various > rootkits not detected by chkrootkit and rkhunter > * usage of checksums in the package header by default rather than locally > stored ones (insecure if not backed up on f.i. an USB-stick); fast unpacking > on the fly into memory without the creation of temporary files > * nicely formatted output into files for later analysis > … and all of that in just a 930 lines of code. > > Though debcheckroot is currently still licensed under S-FSL I am ready to > re-publish under any license you like > if you can at least promise me to maintain the necessary support > infrastructure for it: > * sha256sums rather than the bit old fashioned md5sums > * checksums for all packages in the core distro (some are still missing > md5sums) > i.e. we would have to update debhelper to create shasums in addition to > md5sums and enable this for all packages >
Here is a wishlist of mine: - put your code in git source code management - create a debcheckroot Debian package - upload that Debian package to official Debian repository (that would simplify creation of a Live DVD or Live USB with debcheckroot a lot; and get debcheckroot from a safer location; helps with publicity) - doesn't debcheckroot perfectly fit with the Debian reproducible team? They might be interested in to help with packaging and sponsoring upload. Please consider getting in touch with them. Cheers, Patrick
