[Russ Allbery] > While it's not the be-all and end-all of security, other OS vendors > (Sun in particular) have found it useful to make available a central > database of MD5 checksums of known-good versions of various binaries. Hmmmm. As far as being authoritative (and cryptographically secure), we already have $MIRROR/dists/stable/main/binary-i386/Packages.bz2. The thing is, if you're checking your system, you have to have something to check it against. If this is the md5sums file in /var/lib/dpkg/info, it doesn't matter whether it's included in the package. But if you're using the copy from the .deb (because, say, you don't trust your /var), it wouldn't be much harder to do 'dpkg-deb --extract' and then md5sum the extracted directory, than to do 'dpkg-deb --control' and read DEBIAN/md5sums. -- Peter Samuelson | org-tld!p12n!peter | http://p12n.org/
Attachment:
signature.asc
Description: Digital signature