also sprach Gerfried Fuchs <rhonda@deb.at> [2008.05.02.1425 +0100]:
> Given that md5sum faking is pretty easy these days
In *theory*.
This discussion is ridiculous. I know it's possible, sometimes even
fun, to argue security zealously. But your arguments have zero
real-world relevance. You can't provide me with an attack vector
without acknowledging that all of etch's dpkg-dev source package
handling is broken in this regard and we should have long moved to
sid's dpkg-dev for backports.org at the very least.
You are not seriously claiming that a user, after unpacking a source
package with dpkg-source, and noticing that it didn't complain, is
going to look at the source package and say "ah, I am glad,
dpkg-source really can't have made a mistake, there are so many
checksums here...". What did that poor user do before we had SHA-1
checksums?
Anyway, I am glad you won't be repeating yourself. I was and am
still hoping to hear an argument why sid's source packages can't be
accepted at backports.org. You have not been able to provide one,
and nobody else has... which is why I am no longer contributing to
this service and will unsubscribe from the mailing list now.
--
.''`. martin f. krafft <madduck@debian.org>
: :' : proud Debian developer, author, administrator, and user
`. `'` http://people.debian.org/~madduck - http://debiansystem.info
`- Debian - when you have better things to do than fixing systems
"no work of art ever puts forward views.
views belong to people
who are not artists."
-- oscar wilde
Attachment:
digital_signature_gpg.asc
Description: Digital signature (see http://martin-krafft.net/gpg/)