[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: md5 hashes used in security announcements

* Sjors Gielen:

> Kees Cook wrote:
>> Additionally, it doesn't matter -- it's just the md5 in the email
>> announcement.  The Release and Packages files for the archive have SHA1
>> and SHA256.  The md5 from the announcement is almost not important,
>> IMO -- no one should download files individually from the announcement.
> So if the Release and Packages files are using SHA1 and SHA256, why
> aren't the announcements?

Historical reasons, from the days where you got Debian on a set of
CD-ROMs and repositories were not cryptographically signed.  If we
change the format of the announcements, we'd rather drop the hashes
altogether (and the URLs).

The hashes are somewhat hard to verify anyway because you need to follow
the Debian project pretty closely to figure out if the signature on the
advisory is genuine because it's created by individual developers.

Reply to: