Re: md5 hashes used in security announcements

To: debian-security@lists.debian.org
Subject: Re: md5 hashes used in security announcements
From: Bernd Eckenfels <ecki@lina.inka.de>
Date: Sat, 25 Oct 2008 22:23:23 +0200
Message-id: <[🔎] E1KtpfP-0002lT-00@calista.eckenfels.net>
In-reply-to: <[🔎] 20081025112802.GC19076@gardel.xinocat.com>

In article <[🔎] 20081025112802.GC19076@gardel.xinocat.com> you wrote:
> I assume, it's tradition from the times, when only few people
> used apt-get and friends (and many years apt-get did not have
> signature support). A pointer to a "generic" description for
> people who don't want to/cannot use apt-get would be sufficient
> nowadays. Could someone from the security team correct me?

What I would much more prefer is a regularly signed list of
(non)announcements. This will make shure that anybody can verify if he is
not receiving alerts. If a entity is supressing updates to the list, you see
the missing signature. Kinda CRL for Packages. 

Then the alerts can skip URLs and Checksums, since if there is somebody who
parses them (instead of apt) to be shure his mirrors are not a old copy can
use the new more reliable list.

Gruss
Bernd

Reply to:

References:
- Re: md5 hashes used in security announcements
  - From: "W. Martin Borgert" <debacle@debian.org>

Prev by Date: Re: md5 hashes used in security announcements
Next by Date: Re: md5 hashes used in security announcements
Previous by thread: Re: md5 hashes used in security announcements
Next by thread: Re: md5 hashes used in security announcements
Index(es):
- Date
- Thread