Re: are md5sums mandatory for all packages?

To: Debian Policy <debian-policy@lists.debian.org>, Debian Private <debian-private@lists.debian.org>
Subject: Re: are md5sums mandatory for all packages?
From: Manoj Srivastava <srivasta@datasync.com>
Date: 16 Dec 1997 23:46:29 -0600
Message-id: <[🔎] 87iusoo72i.fsf@tiamat.datasync.com>
In-reply-to: Christian Schwarz's message of "Tue, 16 Dec 1997 14:26:20 +0100 (CET)"
References: <[🔎] Pine.LNX.3.96.971216142305.4952D-100000@monet>

Hi,
	[Moving the discussion over to the policy list]

	The adddition of the md5sums has come up before. Personally, I
 think the utility is limited, given the presence of tripwire, which
 goes much further to ensure the integrity of the system (For example:
 a bad guy changes /usr/sbin/foo *and* /var/lib/dpkg/info/foo.md5sum,
 you shall not be any wiser; and you can't put /var/lib/dpkg/info on a
 read only media).

	However, if people still feel the need to do this, then it
 should be done by dpkg --build, rather than be needlessly duplicated
 by all package rules (and possibly done incorrectly).

	There is no need to make this policy. Change dpkg, and it
 shall happen for all packages automagically.

	manoj
-- 
 security measures executed by well meaning amatuers are usually
 worth less than no security at all. 
Manoj Srivastava  <srivasta@acm.org> <http://www.datasync.com/%7Esrivasta/>
Key C7261095 fingerprint = CB D9 F4 12 68 07 E4 05  CC 2D 27 12 1D F5 E8 6E

Reply to:

Follow-Ups:
- Re: are md5sums mandatory for all packages?
  - From: Radu Duta <rduta@xtra.co.nz>
- MD5SUMs in debs / dpkg install hook (new thought)
  - From: Radu Duta <rduta@xtra.co.nz>

References:
- Re: are md5sums mandatory for all packages?
  - From: Christian Schwarz <schwarz@monet.m.isar.de>

Prev by Date: Re: [Q] who has authority to mess w/ package bugs?
Next by Date: Re: Do we want /usr/libexec ?
Previous by thread: Re: are md5sums mandatory for all packages?
Next by thread: Re: are md5sums mandatory for all packages?
Index(es):
- Date
- Thread