Core v6.2rc2

[nitram]

Core Concepts...
One quick user beware: Tiny Core is not a turn-key operating system...
Downloaded programs WILL have an md5 file...
Core is NOT a secure system.  All security must be added by the user...
Once an outsider gains access, no program can be trusted.  All the features you think would add security could be faked...
If you suspect an intrusion occurred, you would need to boot from a secured thumbdrive and verify the checksums on your persistent storage. Once verified, you could then do your normal boot.

Thanks for the response, it's been enlightening. TinyCore is not turn-key, that is obvious although not a valid argument. For example, out of the box TinyCore provides a control panel and GUI tools for trival matters, such as mounting partitions and changing desktop backgrounds. To shoot down a user concern and/or feature request based on this argument is unfair.

By design TC has features that help make it reasonably secure (no automounts, read-only file system, minimal background services, set password, encrypted backup, etc). And with minimal effort it's not hard to make TC about as secure as any other distribution (iptables, custom software compiles, shutdown without backup, etc).

Since the kernel and primary file system are read-only and the user is in complete control of what gets loaded and backed up/when, then the remaining item is to protect the integrity of the extensions. Thank-you for the sums on separate storage tip, that will be useful.

As there appears to be some confusion, just to be clear this is my concern and feature request. When Apps completes the md5 check and reports 'Md5 checking complete' is also checks and lists the extensions that could not be verified due to a missing md5.txt file. No actual system changes, just reporting. The feature would even be useful to developers, a quick reminder of outstanding md5 files that need to be created prior to submission.

Code: [Select]

Md5 checking complete.
The following extensions could not be verified due to missing md5.txt files:
abc.tcz
xyz.tcz
No reply required. I've tried to provide feedback on this and previous RCs on several items and my experience has been that in most instances the feedback is quickly pooh-poohed or ignored altogether. When a suggestion is heard, it typically takes numerous responses and lively discussions to justify the request. Apparently TC does not require much refinement and i am probably just wasting everyone's time. I will likely just continue to utilize TC as a regular user. Thanks.

[bmarkus]

bmarkus wrote:
I do not see why and how a missing md5 is imposing a security risk.

Well to me the purpose of an md5 check is not only to confirm an accurate download, but also to help ensure there is no curruption in the system post-install, which could be secondary to a security violation. Does that not make sense?

No. Presence or lack of .md5 has no any security impact, it is not related to security at all. It useful only to check integrity of downloaded file and to speed up update check eliminating md5 recalculation. Thats all.

[gerald_clark]

That is the way it is.  You need to defend suggested changes.  You have to convince the developers here that it is either necessary of desirable.
Your last suggestion that missing md5 files be reported may not seem unreasonable, but may or may not be trivial to implement, and may not, in the view of the developers, fit the intended use of the program.
A patch file providing the feature you wish to be accepted is more likely to get it considered.

[aswjh]

Patchs for tce-load,tce-setup, please see if they are useful:
1.option -t, to set TCEDIR
2.simplification of app_exists
3.simplification
4.recursive_scan outputs with path, for "tce-load -i/w path1/ext1  path2/ext2"
5.centrally scan dep files.

[Juanito]

I've just finished preparing the tc-6.2 release, but thanks, we'll have a look for tc-6.3.

[curaga]

@aswjh

Thanks!

Patches 1-3 and the tce-setup one applied. On 4 and 5, I think mixed dirs like that is not desirable; it adds complexity, and it's quite reasonable to expect extensions only from one dir in one invocation. 5 did result in a similar speedup in CorePlus as the tce-setup one, but didn't apply alone. If you reworked it to not depend on the mixed dirs, we'll take it too.