Re: Bug#132767: debsum support should be mandatory
>>"Joey" == Joey Hess <joeyh@debian.org> writes:
Joey> Manoj Srivastava wrote:
>> In order to verify that the system is not compromised, at the
>> very least you need to have the hash file cryptographically
>> signed.
Joey> Sigh. Every time this issue comes off people wander off onto
Joey> areas of security. People *don't* use this for security, unless
Joey> they are idiots. People use this as an easy way to find out
Joey> what binaries were corrupted by their recent disk crash.
And if we do it right, as proposed in this thread, it _can_ be
used to check for malicious corruption as well as incidental corruption.
Joey> Oh well, nothing in this thread I haven't seen or strenuously objected
Joey> to at least 5 times before, so I'm killing it.
Histrionics aside, we do appear to be getting to a point where
we can implement a ``verify files in the package'' done right.
manoj
--
Don't SANFORIZE me!!
Manoj Srivastava <srivasta@debian.org> <http://www.debian.org/%7Esrivasta/>
1024R/C7261095 print CB D9 F4 12 68 07 E4 05 CC 2D 27 12 1D F5 E8 6E
1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C
Reply to: