Re: Time to replace MD5?

To: Bernd Eckenfels <ecki@lina.inka.de>
Cc: debian-security@lists.debian.org
Subject: Re: Time to replace MD5?
From: Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>
Date: Fri, 15 Jun 2007 10:40:27 +0200
Message-id: <[🔎] 878xal4nlw.fsf@informatik.uni-tuebingen.de>
In-reply-to: <[🔎] E1HyF2X-0000YX-00@calista.eckenfels.net> (Bernd Eckenfels's message of "Wed, 13 Jun 2007 00:40:41 +0200")
References: <[🔎] E1HyF2X-0000YX-00@calista.eckenfels.net>

Bernd Eckenfels <ecki@lina.inka.de> writes:

> In article <[🔎] 20070612211349.GA6350@kitenet.net> you wrote:
>> I don't understand why DSAs for etch include md5sums and manual upgrade
>> instructions at all. Apt can verify the checksum and gpg signature and
>> handle the upgrade after all, and probably more securely than the
>> average user following the manual instructions.
>
> Because open source is all about choice. There might be admins using dpkg -i
> or security officers who build their local mirrors manually.

Then they can wget the Release.gpg file, Release file, Packages file
and check each in turn. Their choice.

As for local mirrors: debmirror and reprepro already check the
Release.gpg file if wanted and anybody using something else to mirror
should do so too.

So both aren't really good arguments to complicate the mails.

> Gruss
> Bernd

MfG
        Goswin

Reply to:

Follow-Ups:
- Re: Time to replace MD5?
  - From: Bernd Eckenfels <ecki@lina.inka.de>

References:
- Re: Time to replace MD5?
  - From: Bernd Eckenfels <ecki@lina.inka.de>

Prev by Date: RE: Packages being kept back after security notices
Next by Date: Re: Packages being kept back after security notices
Previous by thread: Re: Time to replace MD5?
Next by thread: Re: Time to replace MD5?
Index(es):
- Date
- Thread