debsums: no md5sums for a lot of important packages on sarge

Dear all

During investigation of kernel panics on a Debian stable (sarge) server I administer I installed debsums. The result of the first run was:

blah:~# debsums -c

debsums: no md5sums for at
debsums: no md5sums for base-files
debsums: no md5sums for binutils
debsums: no md5sums for bsdutils
debsums: no md5sums for bzip2
debsums: no md5sums for console-data
debsums: no md5sums for debian-archive-keyring
debsums: no md5sums for ed
debsums: no md5sums for gnupg
debsums: no md5sums for gpgv
debsums: no md5sums for hotplug
debsums: no md5sums for initscripts
debsums: no md5sums for kernel-image-2.6.8-2-686
debsums: no md5sums for klogd
debsums: no md5sums for libbz2-1.0
debsums: no md5sums for libdb4.2
debsums: no md5sums for libdb4.3
debsums: no md5sums for libdb4.4
debsums: no md5sums for libgdbm3
debsums: no md5sums for liblockfile1
debsums: no md5sums for libncurses5
debsums: no md5sums for libncursesw5
debsums: no md5sums for libreadline4
debsums: no md5sums for make
debsums: no md5sums for mawk
debsums: no md5sums for mime-support
debsums: no md5sums for module-init-tools
debsums: no md5sums for modutils
debsums: no md5sums for mount
debsums: no md5sums for ncurses-base
debsums: no md5sums for ncurses-bin
debsums: no md5sums for netbase
debsums: no md5sums for openbsd-inetd
debsums: no md5sums for php4
debsums: no md5sums for php4-pear
debsums: no md5sums for rsync
debsums: no md5sums for squid
debsums: no md5sums for squid-common
debsums: no md5sums for ssh
debsums: no md5sums for sysklogd
debsums: no md5sums for sysv-rc
debsums: no md5sums for sysvinit
debsums: no md5sums for sysvinit-utils
debsums: no md5sums for update-inetd
debsums: no md5sums for util-linux

Now, I consider this is a pretty secure machine, I monitor it closely with tripwire, it has a very tight network fingerprint, multiple layers of authentication, latest security patches are always installed on the day they are published etc.

So I believe the above output NOT to be the result of a breach. My question is, is it acceptable to have so many important and widely used packages in *stable* without MD5 checksums?

Secondly, how can one fix this on a production system? Is the following method proposed by Paul Gear @ http://lists.debian.org/debian-security/2005/06/msg00126.html the best/only way?

cd /var/cache/apt/archives
apt-get --download-only --reinstall install `debsums -l` debsums --generate=keep,nocheck *.deb

Thanks for any input

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.debian.org Links debian-announce debian-apache debian-arm-changes debian-beowulf debian-boot debian-cd debian-cd-vendors debian-changes debian-changes-digest debian-isp debian-kde debian-laptop debian-mirrors-announce debian-news debian-security debian-security-announce debian-testing debian-user debian-user-digest Request more information about Pantek

-A

--

To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Received on Mon Oct 8 03:31:49 2007