pkg-perl-maintainers team mailing list archive

Thread
Date

[Bug 1100295] Re: MD5 is insecure, add modern hashing

To: pkg-perl-maintainers@xxxxxxxxxxxxxxxxxxx
From: Seth Arnold <1100295@xxxxxxxxxxxxxxxxxx>
Date: Fri, 02 Sep 2016 20:34:26 -0000
Reply-to: Bug 1100295 <1100295@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Marking Ubuntu GNOME as Invalid as that's just far too broad.

Marking debsums and dpkg as Wontfix because debsums is not intended to
be a security tool:

       debsums is intended primarily as a way of determining what
       installed files have been locally modified by the
       administrator or damaged by media errors and is of limited
       use as a security tool.

       If you are looking for an integrity checker that can run from
       safe media, do integrity checks on checksum databases and can
       be easily configured to run periodically to warn the admin of
       changes see other tools such as: aide, integrit, samhain, or
       tripwire.

I suspect the list of suggested programs in the last sentence may need
some modification due to the passage of time.

debsums is not suitable for determining malicious modifications of the
filesystem. An attacker in a position to modify packaged files can
likely also replace debsums itself, any libraries that debsums may use,
the database of hashes, perhaps even kernel mechanisms that would hide
the effects of modified filesystems.

debsums is meant to help discover locally-modified programs and it
serves that purpose well even with md5.

Thanks

-- 
You received this bug notification because you are a member of Debian
Perl Group, which is subscribed to debsums in Ubuntu.
https://bugs.launchpad.net/bugs/1100295

Title:
  MD5 is insecure, add modern hashing

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-gnome/+bug/1100295/+subscriptions