[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: md5 hashes used in security announcements

Felipe Figueiredo (philsf79@gmail.com) wrote on 25 October 2008 07:09:
 >On Saturday 25 October 2008 00:20:46 Alexander Konovalenko wrote:
 >> On Sat, Oct 25, 2008 at 02:33, Kees Cook <kees@outflux.net> wrote:
 >> > [...]
 >> >
 >> > Additionally, it doesn't matter -- it's just the md5 in the email
 >> > announcement.  The Release and Packages files for the archive have SHA1
 >> > and SHA256.  The md5 from the announcement is almost not important,
 >> > IMO -- no one should download files individually from the announcement.
 >> If no one should download files individually from the announcement,
 >> there's no point in including that long list of package URLs and
 >> hashes in the announcements at all. It would be enough to say, "Please
 >> use apt or your favorite package manager to download the packages for
 >> your system."
 >This is not the first time this subject "collides" in this list, but I don't 
 >remember seeing a justification for such a long array of information I never 
 >understoo the use for. 
 >While I see the point of having an independent source for confirmation in case 
 >of panic, if the Release and Package files are to be trusted, it seems the 
 >version of the package should be enough, right?
 >Can anyone please explain why that long list of links and filenames is 
 >interesting, or point to a link that does?

I use it to find out the package names to update, and sometimes the
version. Often a piece of software spreads through several packages,
or is packaged as a lib, or has some other change in the name.

Of course this doesn't apply to stable, where users should just use
apt-get upgrade. For unstable more caution is necessary.

Reply to: