Mailinglist Archive: opensuse-security (331 mails)
| < Previous | Next > |
Re: [suse-security] SuSE ftp and checksums
- From: Volker Kuhlmann <kuhlmav@xxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 01 Sep 2000 18:21:08 +1200 (NZST)
- Message-id: <200009010621.SAA20144@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
> Are you talking about MD5 sums in a list file on the FTP server?
> In that case this wouldn't make any sense: who is able to change
> the RPM packages, would be able to change the list file too...
Just one of the reasons why those MD5 sums are not so useful, which I
had argued a few times before on this list.
> > And perhaps this could then be PGP signed?
>
> Good point! I remember we had this topic here already, and IIRC
Yep
> They publish the MD5's in securty announcements that are sent to
> Bugtraq/etc. These MD5 sums are available in many places, such as my weekly
Fine, but packages are updated on the ftp server for which there is never
any advisory. Yet another reason why those MD5s aren't so useful. They
would be if they were handled properly, but that is very unlikely
to happen.
> I seem to rmeber that too. In any case I'll be doing a review of it when it
> comes out and they'll be roasted (just like I did Debian =) if packages are
> not signed.
Turn your oven on:
> Date: Sun, 06 Aug 2000 22:43:12 +0200 (MEST)
> From: Roman Drahtmueller <draht@xxxxxxx>
> Subject: Re: [suse-security] SuSE security reputation, etc..
> Cc: suse-security@xxxxxxxx
[...]
> > a waste of time anyway. USE GPG-SIGNING - NOW!
>
> Is on its way. But not for 7.0 any more - time was too tight.
:-(
On the other hand, I keep in mind that SuSE has, and solves, a large
pile of problems Red Hat simply doesn't have (e.g. languages). But I
strongly suggested taht MD5s are useless and package signing a necessity
when 6.3 was hot off the press!!
Volker
> In that case this wouldn't make any sense: who is able to change
> the RPM packages, would be able to change the list file too...
Just one of the reasons why those MD5 sums are not so useful, which I
had argued a few times before on this list.
> > And perhaps this could then be PGP signed?
>
> Good point! I remember we had this topic here already, and IIRC
Yep
> They publish the MD5's in securty announcements that are sent to
> Bugtraq/etc. These MD5 sums are available in many places, such as my weekly
Fine, but packages are updated on the ftp server for which there is never
any advisory. Yet another reason why those MD5s aren't so useful. They
would be if they were handled properly, but that is very unlikely
to happen.
> I seem to rmeber that too. In any case I'll be doing a review of it when it
> comes out and they'll be roasted (just like I did Debian =) if packages are
> not signed.
Turn your oven on:
> Date: Sun, 06 Aug 2000 22:43:12 +0200 (MEST)
> From: Roman Drahtmueller <draht@xxxxxxx>
> Subject: Re: [suse-security] SuSE security reputation, etc..
> Cc: suse-security@xxxxxxxx
[...]
> > a waste of time anyway. USE GPG-SIGNING - NOW!
>
> Is on its way. But not for 7.0 any more - time was too tight.
:-(
On the other hand, I keep in mind that SuSE has, and solves, a large
pile of problems Red Hat simply doesn't have (e.g. languages). But I
strongly suggested taht MD5s are useless and package signing a necessity
when 6.3 was hot off the press!!
Volker
| < Previous | Next > |