[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: MD5SUMs in debs / dpkg install hook (new thought)

On Fri, Dec 19, 1997 at 03:12:37PM +1300, Radu Duta wrote:
> What I'm thinking is that maybe it should be the responsability of dpkg,
> since it is the package manager after all.  The package itself works as
> is and there would be not much extra benefit from having the md5sums in
> the package, though the MD5SUMs should still be there.  Maybe they could
> be calculated at installation time (this would affect performace obviously),
> but it would be right thing to do.

Well, calculation at install time doesn't prevent somebody
modifying the .deb (which is easy), especially in the case
of non-official sites. Does dpkg check the MD5sum with
the one in the Packages file or in the archive itself?
Even then you could still tamper with an archive
and recalculate the MD5sum for the Packages
file or whatever. The only way to be really sure is
the .dsc file I guess, which is pgp-signed by the
real author.

I would prefer build time.

Hamish
-- 
Hamish Moffatt, hamish@debian.org, hamish@rising.com.au, hmoffatt@mail.com
Latest Debian packages at ftp://ftp.rising.com.au/pub/hamish. PGP#EFA6B9D5
CCs of replies from mailing lists are welcome.   http://hamish.home.ml.org
Reply to: