On 19.01.2017 14:27, Holger Levsen wrote: > On Wed, Jan 18, 2017 at 10:14:46AM +1100, Stuart Prescott wrote: >> The hashes inside the .dsc file are not used in Debian once the package has >> been accepted by dak. >> >> * The trustable way of getting the source package is with apt-get source, >> when apt verifies the Release signature → hashes → Sources → hashes for each >> part of the source package: dsc, orig.tar.gz, diff.gz/diff.tar.xz > so this "trustable" way of getting the source packages relies on a piece > of software, dak, running 24/365 on a machine (administrated by some > volunteers in their free time) on the internet, to not to be compromised? > > I'm not sure I can really trust this very much. AIUI we never exported the .changes files either, which would have allowed an independent party to check if the files inserted came from a developer or not. > (and btw, let's drop md5sums for buster, "maybe", _completly_, or how long > do we want to be joked about?) I'm not sure why you say this. More than one hash is strictly better than just one. They are bad for bandwidth, sure. But I don't think the way they are used right now can be used for jokes except by quite ignorant people. Kind regards Philipp Kern
Attachment:
signature.asc
Description: OpenPGP digital signature