On Wed, Mar 03, 2010, Wouter Verhelst wrote:
> In this day and age of completely and utterly broken MD5[0], I think we
> should stop providing these files, and maybe provide something else
> instead. Like, I dunno, shasums? Or perhaps gpgsigs? But stop providing
> md5sums.
>
> Or is it useful to be able to say "if it doesn't check out, it's
> certainly corrupt, and if it does check out, it may be corrupt"? Didn't
> think so.

I use them regularly after laptop crashes; I found some misinstalled
packages a couple of times because a crash would happen just after an
upgrade.

--
Loïc Minier

--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/20100303124010.GB7516@bee.dooz.org

On Wed, Mar 03, 2010 at 03:06:20AM +0100, Wouter Verhelst wrote:
> In this day and age of completely and utterly broken MD5[0], I think we
> should stop providing these files, and maybe provide something else
> instead. Like, I dunno, shasums? Or perhaps gpgsigs? But stop providing
> md5sums.
>
> Or is it useful to be able to say "if it doesn't check out, it's
> certainly corrupt, and if it does check out, it may be corrupt"? Didn't
> think so.

As a means to check for filesystem corruptions or non-malicious changes,
MD5 is good enough. So until we have something better, I guess they can
stay.

But it would be great if the whole chain, from beginning to end, was
secured, even against a malicious and presumably very powerful attackers.
That would need:
* Package signatures
Currently only the release file is signed, but if you have a package
lying around, there is no way to check its authenticity.
* Cryptographically strong hashes for all files in the package
and a signature on the hash file.
Then you could really check the authenticity of all files on the system.
For the hash I would skip SHA-1 and move directly to SHA-256.

Oh, and a good read about the lifetime of hash algorithms can be found here: [0]

Cheers,
harry

[0] http://valerieaurora.org/hash.html

--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/20100303133905.GB11984@nn.nn

Mike Hommey writes:

> On Wed, Mar 03, 2010 at 08:29:09AM +0000, Neil Williams wrote:
>> On Wed, 3 Mar 2010 08:35:18 +0100
>> Mike Hommey wrote:
>>
>> > On Wed, Mar 03, 2010 at 06:30:34AM +0000, Sune Vuorela wrote:
>> > >
>> > > The md5 sums isn't to be used in case of a break in, as you can't trust
>> > > anything on the system anyways, but more things like:
>> > > - did I make; sudo make install something on top of packages
>> > > - did I just quickly hack a p{erl,ython}-script on the system to do
>> > > something different and forgot
>> >
>> > Which makes me think... wouldn't it be nice from dpkg to check the
>> > package files haven't been modified before upgrading ?
>>
>> No - if you're upgrading, you're doing it because you want to be sure
>> that the Debian version replaces the old version. However, if you do
>> use 'make; sudo make install; with a prefix of /usr instead
>> of /usr/local then a) you're taking a risk and b) md5sums are only a
>> partial protection. md5sums will NOT catch instances where the upstream
>> 'make install' provides files that are not part of the Debian package
>> nor will it catch files that have been moved as part of Debian
>> packaging. As these files are not put into place by dpkg anyway, then
>> they won't get cleaned up by dpkg and cannot be detected either by
>> using md5sums or by using dpkg. (dpkg will complain that certain
>> directories are not empty if the packaged files being upgraded are in
>> special places but not otherwise.) There's every chance that having
>> extraneous and/or duplicate content in the wrong places will break the
>> Debian package in ways that are not easily detectable and md5sums won't
>> help with that.
>>
>> Having md5sums around for simple checks like local admins copying
>> modified scripts over packaged versions is one thing but IMHO it does
>> not justify having md5sums in the wider case because a) local admin
>> changes are the responsibility of the local admin and b) md5sums only
>> help detect those changes where the admin changes a filename that
>> exactly matches the packaged name rather than adding more content /
>> cruft.
>>
>> 'sudo make install' into /usr is not something that md5sums can help us
>> fix and if that is the sole justification for retaining them then I
>> think that is a false argument.
>
> My point is that these people doing that, or even better, people doing
> an upgrade on a system where other people have been doing that would
> probably *want* to have a warning about the fact that the files dpkg is
> going to replace did *not* match what was supposed to be there in the
> first place.
>
> That would also possibly help spot filesystem errors, because when
> upgrading, dpkg is not going to write to the same places where the
> previous versions of the files were, and when it finishes upgrading, it
> will just remove the previous files and the corruptions, especially if
> they are due to hardware problems, will still be unnoticed and may
> affect more important data much later, when the freed space is used
> again.
>
> Mike

Run a nightly/weekly cron job that verifies all files. No point waiting
for a package upgrade to check this.

MfG
Goswin

--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/87vdddlm95.fsf@frosties.localdomain

Wouter Verhelst, 2010-03-03 03:06:20 +0100 :

[...]

> In this day and age of completely and utterly broken MD5[0], I think
> we should stop providing these files, and maybe provide something else
> instead. Like, I dunno, shasums? Or perhaps gpgsigs? But stop
> providing md5sums.
>
> Or is it useful to be able to say "if it doesn't check out, it's
> certainly corrupt, and if it does check out, it may be corrupt"?
> Didn't think so.

It is useful. Not too efficient against attacks, I'll grant you, but
there are other use cases. One of those I run into from time to time,
as maintainer of servers with webapps, is that I want to know from time
to time if there have been local changes in installed files when
compared to the (already custom) packages, so I can have a look and
integrate the changes into the next version of the custom packages. The
suggestion of having dpkg warn me on upgrade is interesting, but to be
proactive I'm happy to run debsums on my own before the deployment
stage. Because when you're in a deployment rush and one of the files
lacks a semicolon and breaks the whole app, you just $EDITOR
/usr/share/.../foo.php; some other times, your client messes with their
CSS files locally, and you don't want to be grumbled at if you lose that
change, even if you (and the client) know that the change *should* have
been done in the packages in the first place.

I'm quite okay with replacing or complementing the md5sums with
something stronger if it helps with security, but removing them
altogether… please no.

Roland.
--
Roland Mas

La menace de la baffe pèse plus lourd que la baffe elle-même.
-- in Sri Raoul le petit yogi (Gaudelette)

--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/87iq9du42q.fsf@mirexpress.internal.placard.fr.eu...

Wouter Verhelst writes:

> Or is it useful to be able to say "if it doesn't check out, it's
> certainly corrupt, and if it does check out, it may be corrupt"? Didn't
> think so.

I don't understand why you say this. Cryptographic attacks on MD5 aren't
going to happen as a result of random file corruption. The MD5 checksums
are still very effective at finding file corruption or modification from
what's in the Debian package unless that modification was done by a
sophisticated attacker (MD5 preimage attacks are still not exactly easy).
Detecting compromises is useful, but only a small part of what the MD5
checksums are useful for. I'd more frequently use them to detect
well-intentioned but misguided meddling by a local sysadmin.

I certainly don't object to replacing them with SHA1 hashes, although
signed deb packages would still be my preferred solution to this problem.

--
Russ Allbery (rra@debian.org)

--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/874okyuov4.fsf@windlord.stanford.edu