MD5 sums for new CVS packages

Dagmar d'Surreal no.spam at allowed.here
Sat Jan 4 14:09:48 PST 2003


On Fri, 2003-01-03 at 11:25, Carsten Gehrke wrote:
> At 03:38 03-01-03, Gerard Beekmans wrote:
> >On January 3, 2003 02:21 am, Carsten Gehrke wrote:
> > > Hmm, my concern was actually that I wanted to make sure the files had not
> > > been tampered with.  I think I got everything from GNU.org, but couldn't
> > > find any PGP/GPG signatures there.  MD5 fingerprints on the same server are
> > > worthless.  If obtained from a different source, they are better than
> > > nothing.  Otherwise, I wait about a week to see if any reports of
> > > compromises occur.  For some packages, I have contacted the author
> > > directly, but in this case there are too many.  I was hoping someone here
> > > on the list might have copies of these files and could run MD5 on them.
> >
> >I got the source from ftp.gnu.org too so it doesn't mean much if the packages
> >were compromised. And I repack all downloaded packages (often they're not
> >.bz2 yet) so MD5SUMS are different. All I can do is download the stuff from
> >ftp.gnu.org and give you the MD5SUMS as I download them but that doesn't give
> >you much of a guarantee, does it.
> 
> I followed the bz2 links on Freshmeat, so I all files except sed are 
> bz2.  But you are right, if you download them now it wouldn't really help 
> me.  So, I have two questions:
> 
> 1) How do you ensure that source files you download have not been altered?

You *can't*, basically.  Not with most software packages anyway.

If there are no signatures of any kind, you can try sitting on the
tarball you obtained, waiting a few weeks, and seeing if anything foul
is reported to Bugtraq, or then download a second copy, compare the two
and cross your fingers.

If there are md5 signatures in the same place as the tarball, they
really don't mean a thing.  They're only useful for determining if the
file was corrupted as you downloaded it.  Any blackhat who is serious
about collecting shell hosts will change the md5sum file to match the
md5sum of their modified tarball.  Additionally, md5 by itself, can be
beaten, although usually a tarball will take a little damage from the
mechanism.  This is why you see md5 _and_ sha1 hashes used together in a
number of places.

In any case, *none* of it is a good substitute for software that vendors
have signed with GPG/PGP, and distributed their keys through an outside
channel, such as a public keyserver or large mailing list.  (Groups like
Apache and Sendmail who have an ascii armored copy of the relevant
signatures in the same directory as the tarball expect that you will
verify that those are the correct keys by fingerprint or comparison
against a public keyserver.)

> For small packages, are small changes to packages where I have an older 
> version available, I'll inspect the source for anything suspicious.  But if 
> the changes are too great, that appraoch is not feasible.

No kidding.  Just to be safe I still check the diff of the configure
script and makefiles tho.

(remainder snipped)

-- 
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe lfs-support' in the subject header of the message



More information about the lfs-support mailing list