[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: debsums for maintainer scripts

On Fri, 2003-12-05 at 22:42, Goswin von Brederlow wrote:

> The only reason attackers don't do it is because with rpm noone cares
> about the md5sums.

Would you care to provide some evidence as to why Debian having md5sums
on all pacakges would be any different for attackers than RedHat having
it? Please keep in mind:
      * Debian already has md5sums for many packages. 
      * RedHat already has md5sums on all packages
      * RedHat (probably) has a larger installed base than Debian
      * RedHat is more known than Debian to the general public

> Or the md5sum file was damaged.

The md5sum file is much smaller, and thus is much less likely to be hit
(by random chance)

> PS: even if debian had md5sum lists for each package they would be
> only current packages and not older version you would have installed.
> A signature inside the deb would last.

There is no technical reason we'd have to only have ones for the latest

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: