Re: leaks in our only-signed-software fortress
I demand that Toni Mueller may or may not have written...
> On 02/18/2012 11:48 AM, Thomas Koch wrote:
>> What about a debhelper script that receives an URL (or set of mirror
>> URLs) and a SHA1 and does the download and check?
> If you're going this way, try to peek at the *BSD's ports systems,
> specifically their 'distinfo' files. SHA1 is not enough, imho.
For *xine* releases, I use MD5, SHA1 and SHA256. The hashes are then signed
using gpg. That's mainly for others, though; I Don't Need to check them when
doing packaging work for Debian.
--
| _ | Darren Salt, using Debian GNU/Linux (and Android)
| ( ) |
| X | ASCII Ribbon campaign against HTML e-mail
| / \ | http://www.asciiribbon.org/
A clean, neat, desk is a sign of a very sick mind.
Reply to: