Re: debsums for maintainer scripts
Anthony DeRobertis <firstname.lastname@example.org> writes:
> On Fri, 2003-12-05 at 22:42, Goswin von Brederlow wrote:
> > The only reason attackers don't do it is because with rpm noone cares
> > about the md5sums.
> Would you care to provide some evidence as to why Debian having md5sums
> on all pacakges would be any different for attackers than RedHat having
> it? Please keep in mind:
Its not the having part, its the using part.
> * Debian already has md5sums for many packages.
> * RedHat already has md5sums on all packages
> * RedHat (probably) has a larger installed base than Debian
> * RedHat is more known than Debian to the general public
> > Or the md5sum file was damaged.
> The md5sum file is much smaller, and thus is much less likely to be hit
> (by random chance)
> > PS: even if debian had md5sum lists for each package they would be
> > only current packages and not older version you would have installed.
> > A signature inside the deb would last.
> There is no technical reason we'd have to only have ones for the latest