[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: debsums for maintainer scripts

On Sun, 2003-12-07 at 06:45, Goswin von Brederlow wrote:
> Anthony DeRobertis <asd@suespammers.org> writes:
> > On Fri, 2003-12-05 at 22:42, Goswin von Brederlow wrote:
> > 
> > > 
> > > The only reason attackers don't do it is because with rpm noone cares
> > > about the md5sums.
> > 
> > Would you care to provide some evidence as to why Debian having md5sums
> > on all pacakges would be any different for attackers than RedHat having
> > it? Please keep in mind:
> Its not the having part, its the using part.

And Debian having a debsums program (an optional extra) would be more
using than RedHat having an rpm program (an essential part of the
system) would be more using, because...?

> > > PS: even if debian had md5sum lists for each package they would be
> > > only current packages and not older version you would have installed.
> > > A signature inside the deb would last.
> > 
> > There is no technical reason we'd have to only have ones for the latest
> > version.
> Space.

Because the extra md5sums for the few packages updates since Woody was
released would take _so_ much mirror space. Possibly, even an entire
floppy disk's worth!

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: