On Sun, 2003-12-07 at 06:45, Goswin von Brederlow wrote: > Anthony DeRobertis <email@example.com> writes: > > > On Fri, 2003-12-05 at 22:42, Goswin von Brederlow wrote: > > > > > > > > The only reason attackers don't do it is because with rpm noone cares > > > about the md5sums. > > > > Would you care to provide some evidence as to why Debian having md5sums > > on all pacakges would be any different for attackers than RedHat having > > it? Please keep in mind: > > Its not the having part, its the using part. And Debian having a debsums program (an optional extra) would be more using than RedHat having an rpm program (an essential part of the system) would be more using, because...? > > > PS: even if debian had md5sum lists for each package they would be > > > only current packages and not older version you would have installed. > > > A signature inside the deb would last. > > > > There is no technical reason we'd have to only have ones for the latest > > version. > > Space. Because the extra md5sums for the few packages updates since Woody was released would take _so_ much mirror space. Possibly, even an entire floppy disk's worth!
Description: This is a digitally signed message part