[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#155676: patch] dynamic sha1sums generation

On Wed, Aug 07, 2002 at 01:56:36PM -0400, Colin Walters wrote:
> On Wed, 2002-08-07 at 02:42, Anthony Towns wrote:
> True.  And actually any weaknesses in MD5 are rather irrelevant for this
> particular case, because a hostile attacker will be able to simply
> replace any of the checksum files they want.  

Well, unless you backup /var/lib/dpkg/checksums/ to WORM media, like
a CD ROM or paper.

I had the coolest little "hack" that'd let you verify large numbers
of md5sums by hand from paper once... (think binary-trees, and md5sums
of md5sums)

But the key part of this is to have dpkg generate the md5sums at install
time. I suppose it'd actually be handy if you could generate the md5sums
just from the .deb without having to unpack it, too.


Anthony Towns <aj@humbug.org.au> <http://azure.humbug.org.au/~aj/>
I don't speak for anyone save myself. GPG signed mail preferred.

 ``If you don't do it now, you'll be one year older when you do.''

Reply to: