Re: Time to replace MD5?
Bernd Eckenfels <firstname.lastname@example.org> writes:
> In article <20070612211349.GA6350@kitenet.net> you wrote:
>> I don't understand why DSAs for etch include md5sums and manual upgrade
>> instructions at all. Apt can verify the checksum and gpg signature and
>> handle the upgrade after all, and probably more securely than the
>> average user following the manual instructions.
> Because open source is all about choice. There might be admins using dpkg -i
> or security officers who build their local mirrors manually.
Then they can wget the Release.gpg file, Release file, Packages file
and check each in turn. Their choice.
As for local mirrors: debmirror and reprepro already check the
Release.gpg file if wanted and anybody using something else to mirror
should do so too.
So both aren't really good arguments to complicate the mails.