[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: debsums for maintainer scripts

Anthony DeRobertis <asd@suespammers.org> writes:

> On Fri, 2003-12-05 at 22:42, Goswin von Brederlow wrote:
> > 
> > The only reason attackers don't do it is because with rpm noone cares
> > about the md5sums.
> Would you care to provide some evidence as to why Debian having md5sums
> on all pacakges would be any different for attackers than RedHat having
> it? Please keep in mind:

Its not the having part, its the using part.

>       * Debian already has md5sums for many packages. 
>       * RedHat already has md5sums on all packages
>       * RedHat (probably) has a larger installed base than Debian
>       * RedHat is more known than Debian to the general public
> > Or the md5sum file was damaged.
> The md5sum file is much smaller, and thus is much less likely to be hit
> (by random chance)
> > PS: even if debian had md5sum lists for each package they would be
> > only current packages and not older version you would have installed.
> > A signature inside the deb would last.
> There is no technical reason we'd have to only have ones for the latest
> version.



Reply to: