Re: debsums for maintainer scripts
Anthony DeRobertis <firstname.lastname@example.org> writes:
> On Sun, 2003-12-07 at 06:45, Goswin von Brederlow wrote:
> > Anthony DeRobertis <email@example.com> writes:
> > > On Fri, 2003-12-05 at 22:42, Goswin von Brederlow wrote:
> > >
> > > >
> > > > The only reason attackers don't do it is because with rpm noone cares
> > > > about the md5sums.
> > >
> > > Would you care to provide some evidence as to why Debian having md5sums
> > > on all pacakges would be any different for attackers than RedHat having
> > > it? Please keep in mind:
> > Its not the having part, its the using part.
> And Debian having a debsums program (an optional extra) would be more
> using than RedHat having an rpm program (an essential part of the
> system) would be more using, because...?
Because we are talking about making verification checks enabled by
default. See also the signed debs thread that started this.
> > > > PS: even if debian had md5sum lists for each package they would be
> > > > only current packages and not older version you would have installed.
> > > > A signature inside the deb would last.
> > >
> > > There is no technical reason we'd have to only have ones for the latest
> > > version.
> > Space.
> Because the extra md5sums for the few packages updates since Woody was
> released would take _so_ much mirror space. Possibly, even an entire
> floppy disk's worth!
Having or not having is of the order of several 100MB. The shear
number of debs makes the impact.