[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: leaks in our only-signed-software fortress



I demand that Toni Mueller may or may not have written...

> On 02/18/2012 11:48 AM, Thomas Koch wrote:
>> What about a debhelper script that receives an URL (or set of mirror
>> URLs) and a SHA1 and does the download and check?

> If you're going this way, try to peek at the *BSD's ports systems,
> specifically their 'distinfo' files. SHA1 is not enough, imho.

For *xine* releases, I use MD5, SHA1 and SHA256. The hashes are then signed
using gpg. That's mainly for others, though; I Don't Need to check them when
doing packaging work for Debian.

-- 
|  _  | Darren Salt, using Debian GNU/Linux (and Android)
| ( ) |
|  X  | ASCII Ribbon campaign against HTML e-mail
| / \ | http://www.asciiribbon.org/

A clean, neat, desk is a sign of a very sick mind.


Reply to: