Re: signed package information
Tom Allison <firstname.lastname@example.org> writes:
> I was just reading slashdot about the Debian distro and there was
> some discussion about the md5 signature of packages.
> Is there some way that this (is already or can be) implimented by
> default on package installations?
It's largely a matter of the maintainer generating the md5sum
information when they build the package; debsums(1) also has a
fragment you can drop in your APT configuration to generate md5sum
data for packages that don't include it.
But do note that this is isn't necessarily useful for security. If
your machine has been compromised, you could be checking with a
compromised debsums or md5sum program, or the attacker can overwrite
the debsums md5sum files. It *is* useful if you have questionable
hardware and want to see what installed packages are damaged.
David Maze email@example.com http://people.debian.org/~dmaze/
"Theoretical politics is interesting. Politicking should be illegal."
-- Abra Mitchell