Bug#155676: patch] dynamic sha1sums generation
[ No need to CC me, despite what the BTS does to Reply-To ]
On Wed, 2002-08-07 at 02:42, Anthony Towns wrote:
> AIUI, that's usually avoided by listing the file size as well as the
> md5sum. At the very least listing the expected file size gives you a
> very easy check for a lot of accidental corruption.
True. And actually any weaknesses in MD5 are rather irrelevant for this
particular case, because a hostile attacker will be able to simply
replace any of the checksum files they want. But I think it's a good
idea to push SHA1 in general, so I used it. It would however be pretty
trivial to modify the patch to use MD5, and to include the file size.
> Wouldn't it be more sensible to put it in
>
> /var/lib/dpkg/checksums/foo.sha1
Yes it would. Thanks. I just did that in my local version; I'll send
in a new patch after any other changes the dpkg maintainers require are
made.
Reply to: