Re: bzip2 for source packages?

[Sven Rudolph <sr1@os.inf.tu-dresden.de>]

Felix Schroeter <felix@mamba.pond.sub.org> writes:

> In article <[🔎] 13626.12150.464737.43696@miles.econ.queensu.ca> you write:
> >  Avery>  Could someone explain to me why it's so important to keep sources
> >  Avery> "pristine" in this sense?  
> 
> >Security. Trojan horses. To be able to compare against digital footprints (eg
> >md5sums) from upstream.
> 
> >  Avery> I can understand not wanting to
> >  Avery> untar-retar the archive, but recompressing it?  Who does that hurt?
> 
> >The md5sum changes.
> 
> Only if you (IMHO erroneously) take the md5 of the compressed archive.

Declining to join the debate: When a c.o.l.ann announcement contains
source archive md5sums, it is the sum of the compressed archive. In
case you are right it might be a wortwhile project to convince all
people and the world, but it is a bit beyond Debian's scope (IMHO).

> And a MD5 itself doesn't secure you from trojans, anyway. (If I can change
> the MD5ed file, I can often also change the MD5.)

You have to get another md5sum from a trustworthy source. This could
be a PGP-signed c.o.l.ann announcement.

For the Debian-only case you have to check the pgp signature of the
.dsc file again Debian's official keyring, which you must have
obtained by trustworthy means. Security can transfer trust from one
item to another, but you need some initial trust.

	Sven
-- 
Sven Rudolph <sr1@inf.tu-dresden.de>
http://www.sax.de/~sr1/


--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org