Re: md5sums files
On Wed, Mar 03, 2010 at 06:30:34AM +0000, Sune Vuorela wrote:
> On 2010-03-03, Wouter Verhelst <wouter@debian.org> wrote:
> > wouter@celtic:/var/lib/dpkg/info$ ls *md5sums|wc -l
> > 2340
>
> > In this day and age of completely and utterly broken MD5[0], I think we
> > should stop providing these files, and maybe provide something else
> > instead. Like, I dunno, shasums? Or perhaps gpgsigs? But stop providing
> > md5sums.
> >
> > Or is it useful to be able to say "if it doesn't check out, it's
> > certainly corrupt, and if it does check out, it may be corrupt"? Didn't
> > think so.
>
> Hi
>
> Even crc32 or md4 would be good enough for this. Probably even counting
> '1 bits' in the files would be sufficient.
>
> The md5 sums isn't to be used in case of a break in, as you can't trust
> anything on the system anyways, but more things like:
> - did I make; sudo make install something on top of packages
> - did I just quickly hack a p{erl,ython}-script on the system to do
> something different and forgot
Which makes me think... wouldn't it be nice from dpkg to check the
package files haven't been modified before upgrading ?
Mike
Reply to: