[Nagiosplug-help] md5 sums for the plugins

Thomas Guyot-Sionnest dermoth at aei.ca
Wed Nov 12 09:42:14 CET 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/11/08 12:51 AM, Pavel Mirsky wrote:
>>> On 11/11/08 07:42 PM, Pavel Mirsky wrote:
>>>> Hi,
>>>>
>>>> I am interested in Nagios and am working through
>> the plugin
>>>> installation.  I've downloaded the source but
>> am unable to
>>>> find MD5 sums on your site to compare with my
>> download.  Can
>>>> you point me to the MD5 sums so I can verify my
>> the
>>>> integrity of my download?
>>> There are checksums in Gzip compression, so it it
>> untars
>>> without errors it's fine.
>> Could he be asking to verify that the download is not
>> trojaned?
>>
>> -Jason Martin
>> -- 
>> Nobody knows the Tribbles I've seen...
>> This message is PGP/MIME signed.
> 
> Thank you for your responses.  The biggest concern is ensuring that the files I have downloaded contain only the code that the developers intended - IE. not trojaned.  If this is satisfied, I will know I have received it without errors as well.
> 
> I have looked all over http://nagiosplugins.org/ and the Nagios Plugins Sourceforge site and found nothing.  The MD5 is for the Nagios core is in the release notes on the Nagios site.  Why not for the plugins as well?  Have I overlooked it?

An md5sum isn't a guarantee that the file isn't trojaned. Whoever put
that file up there could just as well run md5sum on it and upload it as
well.

If we'd like to add such protection we would create a key pairs and sign
our tarballs (generally the .sig or .asc extension is used, and
sometimes - generally for huge files - the md5/sha1 is signed rather
that the file itself).

We don't to this (yet?) and even if we'd start you would have to trust
the key first (and again, if someone manages to make a trojaned package,
he could possibly upload his own key too).

In other words, there isn't much I can do right now. Even if I'd take
the time to download a tarball, make a distribution of the save version
out of my own code repository (which to the best of my knowledge is not
trojaned), compare it and finally checksum the tarball once I've
verified it, would you actually trust me? You seem to be new here (first
post) so it looks like I'm a total stranger to you...

- --
Thomas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJGpbm6dZ+Kt5BchYRAlYoAJ90ZHs3HTBAqp9knVpX//hrS5+xmwCeLrzC
jsOKWP/HlEuMRXJYG/69ICw=
=cb8d
-----END PGP SIGNATURE-----




More information about the Help mailing list