[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: debsums for maintainer scripts

Anthony DeRobertis <asd@suespammers.org> writes:

> On Sun, 2003-12-07 at 06:45, Goswin von Brederlow wrote:
> > Anthony DeRobertis <asd@suespammers.org> writes:
> > 
> > > On Fri, 2003-12-05 at 22:42, Goswin von Brederlow wrote:
> > > 
> > > > 
> > > > The only reason attackers don't do it is because with rpm noone cares
> > > > about the md5sums.
> > > 
> > > Would you care to provide some evidence as to why Debian having md5sums
> > > on all pacakges would be any different for attackers than RedHat having
> > > it? Please keep in mind:
> > 
> > Its not the having part, its the using part.
> 
> And Debian having a debsums program (an optional extra) would be more
> using than RedHat having an rpm program (an essential part of the
> system) would be more using, because...?

Because we are talking about making verification checks enabled by
default. See also the signed debs thread that started this.

> > > > PS: even if debian had md5sum lists for each package they would be
> > > > only current packages and not older version you would have installed.
> > > > A signature inside the deb would last.
> > > 
> > > There is no technical reason we'd have to only have ones for the latest
> > > version.
> > 
> > Space.
> 
> Because the extra md5sums for the few packages updates since Woody was
> released would take _so_ much mirror space. Possibly, even an entire
> floppy disk's worth!

Having or not having is of the order of several 100MB. The shear
number of debs makes the impact.

MfG
        Goswin
Reply to: