FOSDEM: Multiarch on Debian and Ubuntu
FOSDEM: Multiarch on Debian and Ubuntu
Posted Mar 1, 2012 12:11 UTC (Thu) by elanthis (guest, #6227)In reply to: FOSDEM: Multiarch on Debian and Ubuntu by pagerc
Parent article: FOSDEM: Multiarch on Debian and Ubuntu
The files created by a package should not be modified for any reason. I should be able to do a package verification and check the checksums of the installed components.
It would be possible to update the package database with modified checksums of binaries that are "patched" by a fatelf system, but then that reduces the overall safety. Then I would only be able to check a potentially compromised system's filesystem using data that only exists in the potentially compromised system's filesystem. Without modifying binaries, I can grab the upstream original verified out-of-band package and compare its checksums directly to those on the system's filesystem image.
Yes, I realize that prelink already screws up most of this. I'm not sure if prelink is still commonly used (faster linkers like gold and strict symbol visibility control can reduce the need for prelinking, and address space randomization should be part of the dynamic loader, but maybe Linux distros haven't caught up yet).
Posted Mar 1, 2012 16:02 UTC (Thu)
by nix (subscriber, #2304)
[Link] (1 responses)
Posted Mar 3, 2012 10:02 UTC (Sat)
by TRS-80 (guest, #1804)
[Link]
FOSDEM: Multiarch on Debian and Ubuntu
FOSDEM: Multiarch on Debian and Ubuntu