On Fri, Aug 17, 2007 at 07:04:39PM -0500, Peter Samuelson wrote: > > [Russ Allbery] > > While it's not the be-all and end-all of security, other OS vendors > > (Sun in particular) have found it useful to make available a central > > database of MD5 checksums of known-good versions of various binaries. > > Hmmmm. As far as being authoritative (and cryptographically secure), > we already have $MIRROR/dists/stable/main/binary-i386/Packages.bz2. I actually would like to have a file similar to the Contents that provided the MD5/SHA1/whatever_hash of all the files distributed in Debian and have that file included in the Release file (so that it's GPG signed and we have a chain of trust). This has been discussed at #268658 but so far FTP maintainers have remain silent on this issue. Such a per Release file with all the MD5sums could be really useful to do forensic analysis of a system to detected corrupted (or locally modified) contents. It could also complement the md5sums provided by packages and serve as an additional reference to validate them if they are believed to be tampered with. Regards Javier
Attachment:
signature.asc
Description: Digital signature