Re: [RFC] Enhance checksum support
On Mon, Feb 11, 2008 at 09:07:38AM +1000, Anthony Towns wrote:
> On Sun, Feb 10, 2008 at 06:46:55PM +0100, Frank Lichtenheld wrote:
> > On Tue, Jan 29, 2008 at 04:06:12PM +1100, Anthony Towns wrote:
> > > On Sat, Jan 26, 2008 at 10:14:56PM +0100, Frank Lichtenheld wrote:
> > > > The whole thing honestly doesn't do much for security anyway until the gpg
> > > > support of dpkg-source is largely improved. For that I have no real concept
> > > > yet, though.
> > > Well, apt verifies them when it downloads the source before passing
> > > it to dpkg to unpack; and there's also verification when entering the
> > That would be news to me. And I can't seem to find that in the code,
> > either.
> $ apt-get source dpkg
> Reading package lists... Done
> Building dependency tree... Done
> Need to get 3385kB of source archives.
> Get:1 http://blah stable/main dpkg 1.13.25 (dsc) [853B]
> Get:2 http://blah stable/main dpkg 1.13.25 (tar) [3385kB]
> Fetched 3385kB in 10s (334kB/s)
> Failed to fetch http://blah/debian/pool/main/d/dpkg/dpkg_1.13.25.dsc MD5Sum mismatch
> E: Failed to fetch some archives.
I was talking about the GPG signature of the .dsc
Frank Lichtenheld <email@example.com>