[vox-tech] possible rooted system / checking md5sum on debian

[Rick Moen]

Quoting msimons@moria.simons-clan.com (msimons@moria.simons-clan.com):

> If you are after checking the package gnupg signatures and tracing
> down to the binaries that you have installed to verify that you have
> the correct things... well that isn't implemented yet.

Yes, it is.

Each package's md5sum is in the Release file you retrieve when you do
"apt-get update".  There's a Release.gpg in the same directory
containing the hash value of signing Release with the master package
program's gpg key.  

Either Joey Hess or Wichert Ackerman (I forget which) posted a script to
autocheck the key hash, or you could write your own.  But this check
would be far less meaningful than you might assume, for reasons
including those I describe in
http://linuxmafia.com/~rick/linux-info/debian-package-signing .

> Hopefully next Debian release... see the following url for more
> details.
> 
> http://www.linuxsecurity.com/docs/harden-doc/html/securing-debian-howto/ch7.en.html

Nope.

That explanation is incomplete (possibly just outdated) in failing to
mention the Release.gpg hash, which piece completes the scheme -- for
what it's worth.

I fear the spectre of Khendon's Law, so I won't cite the other reasons
why the scheme is about as worthless as your average RPM
whistle-in-the-dark counterpart.  But you can find them at the cited
URL.

-- 
Cheers,              "It ain't so much the things we don't know that get us
Rick Moen            in trouble.  It's the things we know that ain't so."
rick@linuxmafia.com             -- Artemus Ward (1834-67), U.S. journalist