[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: md5 hashes used in security announcements

On Saturday 25 October 2008 00:20:46 Alexander Konovalenko wrote:
> On Sat, Oct 25, 2008 at 02:33, Kees Cook <kees@outflux.net> wrote:
> > [...]
> >
> > Additionally, it doesn't matter -- it's just the md5 in the email
> > announcement.  The Release and Packages files for the archive have SHA1
> > and SHA256.  The md5 from the announcement is almost not important,
> > IMO -- no one should download files individually from the announcement.
> If no one should download files individually from the announcement,
> there's no point in including that long list of package URLs and
> hashes in the announcements at all. It would be enough to say, "Please
> use apt or your favorite package manager to download the packages for
> your system."


This is not the first time this subject "collides" in this list, but I don't 
remember seeing a justification for such a long array of information I never 
understoo the use for. 

While I see the point of having an independent source for confirmation in case 
of panic, if the Release and Package files are to be trusted, it seems the 
version of the package should be enough, right?

Can anyone please explain why that long list of links and filenames is 
interesting, or point to a link that does?

best regards

Reply to: