In article <[🔎] E10uQN0-0007wP-00@polya> you write: >Just a brief note about the thread there: if md5sums are included in >packages, they will *only* be included for system integrity checks. >They serve *no* useful security purpose. Given this, the MD5 sums >themselves should be adequate for the integrity tests. What security would it offer if the dpkg md5sums file was signed by the packager along with the *.dsc and the *.changes files? If I am correct, that would 'almost' solve two problems at once, the problem of authentication of dpg files, and the problem of verifying an installed system. ...almost because, the dpkg md5sums currently do not contain information on control files, and configuration files may also cause problems. Maybe these could be solved by dividing the md5sums into three sections, one for normal files, another for control files, and another for config files?? -- Brian May <bam@snoopy.apana.org.au>
Attachment:
pgpFpwpIZJzij.pgp
Description: PGP signature