Re: are md5sums mandatory for all packages?
Hi,
[Moving the discussion over to the policy list]
The adddition of the md5sums has come up before. Personally, I
think the utility is limited, given the presence of tripwire, which
goes much further to ensure the integrity of the system (For example:
a bad guy changes /usr/sbin/foo *and* /var/lib/dpkg/info/foo.md5sum,
you shall not be any wiser; and you can't put /var/lib/dpkg/info on a
read only media).
However, if people still feel the need to do this, then it
should be done by dpkg --build, rather than be needlessly duplicated
by all package rules (and possibly done incorrectly).
There is no need to make this policy. Change dpkg, and it
shall happen for all packages automagically.
manoj
--
security measures executed by well meaning amatuers are usually
worth less than no security at all.
Manoj Srivastava <srivasta@acm.org> <http://www.datasync.com/%7Esrivasta/>
Key C7261095 fingerprint = CB D9 F4 12 68 07 E4 05 CC 2D 27 12 1D F5 E8 6E
Reply to: