Mailinglist Archive: opensuse-security (601 mails)

< Previous Next >
Re: [suse-security] autorpm and latest secure files
  • From: Volker Kuhlmann <kuhlmav@xxxxxxxxxxxxxxxxxxxxx>
  • Date: Sun, 13 Aug 2000 17:16:40 +1200 (NZST)
  • Message-id: <200008130516.RAA16719@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
> What are the recomended steps to do security updates from FTP when there is no
> PGP signature in the files? You know there was this incident with tripwire on
> the dutch server that was hacked and trojaned as far as I remember. Is there a
> reason to worry about somebody being able to hack and trojan the security
> updates supplied via ftp AND to hack an change the md5 sums provided by SuSE
> at the same time? Or is this coincidence too far from being probable?

The bottom line is that the usefulness of those md5 sums is seriously
impaired. As I pointed that out while 6.3 was current I am a little
disappointed that 7.0 still does not have signed packages. There may be
organisational problems, but Red Hat manages since 4.2 and 1996.

My question of long ago about how to use those md5 sums easily never
got an answer. Here is what I figure:

1) get the md5 sum:

a) copy out of advisory (after checking the advisory's signature) and
paste into a texteditor. Given the number of bugs and incorrectly placed
(by SuSE) sums in the advisory, I would not assign a very high relibility
factor to this source.

b) download that file with the sums from the ftp server. One would have
to use directly, mirrors could have been hacked. What about
encryption-related packages?

As has been pointed out (by Gerhard?), doing both and cross-checking
might be a good idea.

2) paste sums into a text editor. Then paste the filename in there too,
with 2 spaces separation. The lines in the advisory are useless, because
they are of the form
72b3eb67t36f ftp://.../package.rpm
md5sum -c does not take complete URLs, and anyway I download packages
including the version or things would become very messy at my end. That
the advisory does not contain full package names is a pain.

3) run md5sum -c

Perhaps I am lazy, but I find that a PITA. Disregarding laziness,
the usefulness of the whole procedure is doubtful as well, as the chain
breaks in the weakest point, and the weakest point is that md5sums can not
be obtained securely. Even is not as secure as the
machine SuSE would be using to sign packages. Or am I missing something?

I have hopes for 7.1...


< Previous Next >