[Nagiosplug-help] md5 sums for the plugins

Andreas Ericsson ae at op5.se
Wed Nov 12 11:25:37 CET 2008


Thomas Guyot-Sionnest wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 12/11/08 12:51 AM, Pavel Mirsky wrote:
>>>> On 11/11/08 07:42 PM, Pavel Mirsky wrote:
>>>>> Hi,
>>>>>
>>>>> I am interested in Nagios and am working through
>>> the plugin
>>>>> installation.  I've downloaded the source but
>>> am unable to
>>>>> find MD5 sums on your site to compare with my
>>> download.  Can
>>>>> you point me to the MD5 sums so I can verify my
>>> the
>>>>> integrity of my download?
>>>> There are checksums in Gzip compression, so it it
>>> untars
>>>> without errors it's fine.
>>> Could he be asking to verify that the download is not
>>> trojaned?
>>>
>>> -Jason Martin
>>> -- 
>>> Nobody knows the Tribbles I've seen...
>>> This message is PGP/MIME signed.
>> Thank you for your responses.  The biggest concern is ensuring that the files I have downloaded contain only the code that the developers intended - IE. not trojaned.  If this is satisfied, I will know I have received it without errors as well.
>>
>> I have looked all over http://nagiosplugins.org/ and the Nagios Plugins Sourceforge site and found nothing.  The MD5 is for the Nagios core is in the release notes on the Nagios site.  Why not for the plugins as well?  Have I overlooked it?
> 
> An md5sum isn't a guarantee that the file isn't trojaned. Whoever put
> that file up there could just as well run md5sum on it and upload it as
> well.
> 

The idea is to put the md5sums on a different server (preferrably behind
a different firewall), just to make it tricksy for the trojans to peddle
their horse as the real deal.

> If we'd like to add such protection we would create a key pairs and sign
> our tarballs (generally the .sig or .asc extension is used, and
> sometimes - generally for huge files - the md5/sha1 is signed rather
> that the file itself).
> 
> We don't to this (yet?) and even if we'd start you would have to trust
> the key first (and again, if someone manages to make a trojaned package,
> he could possibly upload his own key too).
> 
> In other words, there isn't much I can do right now. Even if I'd take
> the time to download a tarball, make a distribution of the save version
> out of my own code repository (which to the best of my knowledge is not
> trojaned), compare it and finally checksum the tarball once I've
> verified it, would you actually trust me? You seem to be new here (first
> post) so it looks like I'm a total stranger to you...
> 

Something to consider, certainly.

-- 
Andreas Ericsson                   andreas.ericsson at op5.se
OP5 AB                             www.op5.se
Tel: +46 8-230225                  Fax: +46 8-230231




More information about the Help mailing list