[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#155676: patch] dynamic sha1sums generation

[ No need to CC me, despite what the BTS does to Reply-To ]

On Wed, 2002-08-07 at 02:42, Anthony Towns wrote:

> AIUI, that's usually avoided by listing the file size as well as the
> md5sum. At the very least listing the expected file size gives you a
> very easy check for a lot of accidental corruption.

True.  And actually any weaknesses in MD5 are rather irrelevant for this
particular case, because a hostile attacker will be able to simply
replace any of the checksum files they want.  But I think it's a good
idea to push SHA1 in general, so I used it.  It would however be pretty
trivial to modify the patch to use MD5, and to include the file size.

> Wouldn't it be more sensible to put it in
> 	/var/lib/dpkg/checksums/foo.sha1

Yes it would.  Thanks.  I just did that in my local version; I'll send
in a new patch after any other changes the dpkg maintainers require are

Reply to: