also sprach Gerfried Fuchs <rhonda@deb.at> [2008.05.02.1425 +0100]: > Given that md5sum faking is pretty easy these days In *theory*. This discussion is ridiculous. I know it's possible, sometimes even fun, to argue security zealously. But your arguments have zero real-world relevance. You can't provide me with an attack vector without acknowledging that all of etch's dpkg-dev source package handling is broken in this regard and we should have long moved to sid's dpkg-dev for backports.org at the very least. You are not seriously claiming that a user, after unpacking a source package with dpkg-source, and noticing that it didn't complain, is going to look at the source package and say "ah, I am glad, dpkg-source really can't have made a mistake, there are so many checksums here...". What did that poor user do before we had SHA-1 checksums? Anyway, I am glad you won't be repeating yourself. I was and am still hoping to hear an argument why sid's source packages can't be accepted at backports.org. You have not been able to provide one, and nobody else has... which is why I am no longer contributing to this service and will unsubscribe from the mailing list now. -- .''`. martin f. krafft <madduck@debian.org> : :' : proud Debian developer, author, administrator, and user `. `'` http://people.debian.org/~madduck - http://debiansystem.info `- Debian - when you have better things to do than fixing systems "no work of art ever puts forward views. views belong to people who are not artists." -- oscar wilde
Attachment:
digital_signature_gpg.asc
Description: Digital signature (see http://martin-krafft.net/gpg/)