Ubuntu
binutils package

Why are there no md5 sums for binutils package? (GNU linker and assembler)

Asked by Stefan Lasiewski

The binutils package includes core binary utilities like /usr/bin/ld and /usr/bin/as (The GNU linker and assembler). I noticed that the binutils package [1] does not include md5sums for the installed binaries.

Here's what I saw when I ran a quick verification of packages on my system:

$ sudo debsums -c
debsums: no md5sums for binutils
<*SNIP*>

$ ls -l /var/lib/dpkg/info/binutils.*
-rw-r--r-- 1 root root 3348 2010-09-01 19:10 /var/lib/dpkg/info/binutils.list
-rwxr-xr-x 1 root root 65 2010-08-20 07:39 /var/lib/dpkg/info/binutils.postinst
-rwxr-xr-x 1 root root 62 2010-08-20 07:39 /var/lib/dpkg/info/binutils.postrm
-rw-r--r-- 1 root root 168 2010-08-20 07:39 /var/lib/dpkg/info/binutils.shlibs

Since ld and as are essential to compiling software on a system, should md5 sums be included with this package, so that admins can quickly verify the integrity of these binaries? If `ld` and `as` were corrupted, would that present a stability problem for the system? If these binaries were security compromised, could that cause a security problem for binariess which were compiled after the compromise?

Do md5 sums improve the stability and security of a system?

By comparison, RedHat/CentOS systems allow me to verify the installed RPMs using `rpm -V` [2], and it's frequently used to provide a quick verification of packages installed on a system. Is this a good idea in terms of security and stability, or is it misleading?

[1] http://www.gnu.org/software/binutils/
[2] http://www.rpm.org/max-rpm/ch-rpm-verify.html

Question information

Language:
English Edit question
Status:
Answered
For:
Ubuntu binutils Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
Josh George (josh-narins-gmail) said : 		#1

For me it isn't only binutils 2.19.1-0ubuntu3 that is vital and missing debsums, I also don't have them for:

at, bzip2, ed, g++ (!!), gawk, gcc-multilib, gcj, gfortran, gij, initscripts(!!!), installation-report, klogd (!), libbz2, libaudio2, liblockfile (?!), netbase, startup-tasks, sysklogd (!), sysv-rc, sysvinit-utils, ubuntu-keyring (!!!), xserver-xorg

Hopefully someone can explain to me how I can help secure my system by fixing up what seems, at least to me, to be glaring deficiencies in debsums.

Revision history for this message
Josh George (josh-narins-gmail) said : 		#2

http://www.linuxquestions.org/questions/linux-security-4/ubuntu-hardy-fails-md5-checks-debsums-for-modules-651025/

Seems to provide an answer, fwiw:

I'm not particularly well-versed in Debian policy (since that's upstream for .*buntu), but apparently there are a few reasons: Debian packages being built with a buildsystem that doesn't use the dh_sums thingie, Debain packagers deliberately keeping packages from getting checksummed and Debian policy only slowly changing: it just isn't mandatory but considered "best practice" (2007). You can generate them yourself by creating /etc/apt/apt.conf.d/90debsums:
Code:

DPkg::Post-Invoke { "if [ -x /usr/bin/debsums ]; then /usr/bin/debsums --generate=nocheck -sp /var/cache/apt/archives; fi"; };
(best before installing packages: your distro docs should have told you).

Package MD5s are of limited value, but yours isn't the only distro that sticks to supplying only that kind of checksums. The only thing they can "verify" is the integrity of the package itself not its contents. So that's another good reason for installing a file integrity checker (Aide, Samhain, Osiris or even tripwire) right after you install your OS (later on doesn't make much sense). Plus package MD5s should be superseded by GPG sigs anyway.

Revision history for this message
Stefan Lasiewski (stefanlasiewski) said : 		#3

Thanks Josh. That does answer why Ubuntu does not include MD5 sums with it's packages.

It does beg the question why does Ubuntu need to rely on the Debian maintainers for this feature.

Revision history for this message
Stefan Lasiewski (stefanlasiewski) said : 		#4

Thanks Josh. That does answer why Ubuntu does not include MD5 sums with it's packages.

It does beg the question why does Ubuntu need to rely on the Debian maintainers for this feature.

Can you help with this problem?

Provide an answer of your own, or ask Stefan Lasiewski for more information if necessary.

To post a message you must log in.