Re: are md5sums mandatory for all packages?
Manoj Srivastava wrote:
>
> All right, I think I a beginning to agree. Maybe dpkg *should
> have integrity checking (as well as permission and ownership being
> recorded record [in the .list file maybe?] -- like a ls -al listing)
I am always annoyed by having dpkg -c and dpkg -L use a different
format. maybe this is the right time to put a tar -tv into .list
>
> If per file mdsums are to be recorded, then maybe hte too
> should be pgp-signed (possibly by dpkg at package build time,
> possibly a detached signature).
as I already said, I think that maintainer's signatures are essential
for the Debian Installer to certify the origin and integrity of the
uploaded things, but could give a fake security if checked by users
later (maybe months later) on installed systems.
Fabrizio
--
| fpolacco@icenet.fi fpolacco@debian.org fpolacco@pluto.linux.it
| Pluto Leader - Debian Developer & Happy Debian 1.3.1 User - vi-holic
| 6F7267F5 fingerprint 57 16 C4 ED C9 86 40 7B 1A 69 A1 66 EC FB D2 5E
> Just because Red Hat do it doesn't mean it's a good idea. [Ian J.]
Reply to: