Re: md5 hashes used in security announcements
On Saturday 25 October 2008 00:20:46 Alexander Konovalenko wrote:
> On Sat, Oct 25, 2008 at 02:33, Kees Cook <email@example.com> wrote:
> > [...]
> > Additionally, it doesn't matter -- it's just the md5 in the email
> > announcement. The Release and Packages files for the archive have SHA1
> > and SHA256. The md5 from the announcement is almost not important,
> > IMO -- no one should download files individually from the announcement.
> If no one should download files individually from the announcement,
> there's no point in including that long list of package URLs and
> hashes in the announcements at all. It would be enough to say, "Please
> use apt or your favorite package manager to download the packages for
> your system."
This is not the first time this subject "collides" in this list, but I don't
remember seeing a justification for such a long array of information I never
understoo the use for.
While I see the point of having an independent source for confirmation in case
of panic, if the Release and Package files are to be trusted, it seems the
version of the package should be enough, right?
Can anyone please explain why that long list of links and filenames is
interesting, or point to a link that does?