Re: Bug#540215: Introduce dh_checksums
[Frank Lin PIAT]
> Please, let's do the easy move *now* for Squeeze, using shasums, and
> go ahead later with an even better solution.
Drawbacks: more CPU time on build daemons, slightly larger binary
packages to download, and some disruption when we're trying to get a
release out the door.
Advantages: ... umm ... warm fuzzy feeling that we aren't relying on
that old stupid broken MD5 thing that is so out of fashion these days
among the cognoscenti?
If you really want to use /var/lib/dpkg/info/pkg.*sums files for any
purpose other than detecting non-malicious corruption, obviously you
need _either_ some form of package signatures, _or_ a server akin to
http://packages.debian.org/changelogs/ for serving checksums from a
more trusted source. And of course if you have that sort of server
support anyway - why not just calculate those sha16384 sums on the
server, with no change to the debs at all?