[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: are md5sums mandatory for all packages?

Manoj Srivastava wrote:
> 
>         All right, I think I a beginning to agree. Maybe dpkg *should
>  have integrity checking (as well as permission and ownership being
>  recorded record [in the .list file maybe?] -- like a ls -al listing)

I am always annoyed by having dpkg -c and dpkg -L use a different
format. maybe this is the right time to put a tar -tv into .list

> 
>         If per file mdsums are to be recorded, then maybe hte too
>  should be pgp-signed (possibly by dpkg at package build time,
>  possibly a detached signature).

as I already said, I think that maintainer's signatures are essential
for the Debian Installer to certify the origin and integrity of the
uploaded things, but could give a fake security if checked by users
later (maybe months later) on installed systems.


Fabrizio
-- 
| fpolacco@icenet.fi    fpolacco@debian.org    fpolacco@pluto.linux.it
| Pluto Leader - Debian Developer & Happy Debian 1.3.1 User - vi-holic
| 6F7267F5 fingerprint 57 16 C4 ED C9 86 40 7B 1A 69 A1 66 EC FB D2 5E
> Just because Red Hat do it doesn't mean it's a good idea. [Ian J.]
Reply to: