[buug] Gentoo, Bluecurve and Linux too!

[Patrick Soltani]

> 
> and how are you sure the md5 hash hasn't been tampered with?
> Having an md5 signature is only done on compressed packages 
> (.tar, etc),
> this usually stops you from doing such things as diffing with 
> older versions.
> Basically I doubt you would do such a thing without keeping 
> the application
> tracked with cvs.

wow, we are getting technical here. from man pages:
" These functions implement the MD5  message-digest  algorith,
     which  takes as input a message of arbitrary length and pro-
     duces as output a 128-bit "fingerprint" or "message  digest"
     of  the input. It is intended for digital signature applica-
     tions, where large file must be  "compressed"  in  a  secure
     manner  before  being  encrypted with a private (secret) key
     under a public-key cryptosystem such as RSA.
"

The operative word is "intended".  You can run MD5 on binary files and is not confined to only compressed files.
In fact Solaris has the MD5 finger prints for ALL the files in the system. I am sure not all of them are ".tar, etc"

> I suggest you read the classic paper "Reflections on Trusting 
> trust" by
> Ken Thompson. If you happened to have read it already, read 
> it again because
> you didnt understand it.

No I have not read what you consider Security Bible, but will do so when I get a chance.  Thanx for the pointer.


> I disagree. I will make the observation that we are talking 
> about open source
> software, which if you have a binary for that would imply you can also
> get the source for what made the binary. So then simply 
> uninstall the binary
> if it is giving you grief, get the src for it, and bash your 
> head against it.

That's exactly the point Yoda.  How do you know the binaries you are installing/installed were generated from the source that you have?  So, you have to compile it from source and then compare!


Regards,
Patrick Soltani.