Re: status: hints on how to check your machine for intrusion

From: Willy Tarreau
Date: Sun Oct 02 2011 - 01:35:54 EST

Hi Peter,

On Sat, Oct 01, 2011 at 05:10:44PM -0700, H. Peter Anvin wrote:
> On 10/01/2011 03:43 PM, Willy Tarreau wrote:
> >
> > <version> <umask> <user> <group> <tag md5> <tar md5> <tar.gz md5> <status>
> >
> > Since I can attest that I exclusively extracted the tarballs from the
> > tar.gz and dumped their md5 at the same time, I'm pretty sure that the
> > tar.gz's md5 is OK if the tar's md5 is OK. This will help speed up sig
> > checks on mirrors.
> >
> By the way, it's usually better to use sha256 or something else more
> modern than MD5.

I know but I wanted to use something fast enough on this small
machine. sha256sum is 3.5 times slower than md5sum. Also, we're
not necessarily looking for an issue by which someone would have
spent his time trying to make an md5 collision here ; re-signing
a modified tarball with gpg as root would have been a lower hanging

That said, once we know the tarballs are fine, it will not be that
hard to rebuild the sha256 of the compressed tarballs and match them
against existing images.

> > All the times I got a different MD5 between the tarball and the git
> > tag was because of a different user name in the tarball. It seems
> > that old git versions used to use "git/git" instead of "root/root"
> > now.
> Yes, that change was introduced in git-1.5.0-rc1.

I noticed your comment on this in another mail, thanks for the details.

> > This is hardcoded so it's not easy to change it, and I suspect
> > that the tar format might have changed a bit, so if we want to check
> > those MD5s, either we check on old mirrors that are 100% safe, or we
> > have to reinstall an old version of git.
> ... or extract the tarball and diff the contents versus the git tree.



To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at
Please read the FAQ at