Re: md5 hashes used in security announcements
In article <20081025112802.GC19076@gardel.xinocat.com> you wrote:
> I assume, it's tradition from the times, when only few people
> used apt-get and friends (and many years apt-get did not have
> signature support). A pointer to a "generic" description for
> people who don't want to/cannot use apt-get would be sufficient
> nowadays. Could someone from the security team correct me?
What I would much more prefer is a regularly signed list of
(non)announcements. This will make shure that anybody can verify if he is
not receiving alerts. If a entity is supressing updates to the list, you see
the missing signature. Kinda CRL for Packages.
Then the alerts can skip URLs and Checksums, since if there is somebody who
parses them (instead of apt) to be shure his mirrors are not a old copy can
use the new more reliable list.