Re: md5 hashes used in security announcements
Felipe Figueiredo (firstname.lastname@example.org) wrote on 25 October 2008 07:09:
>On Saturday 25 October 2008 00:20:46 Alexander Konovalenko wrote:
>> On Sat, Oct 25, 2008 at 02:33, Kees Cook <email@example.com> wrote:
>> > [...]
>> > Additionally, it doesn't matter -- it's just the md5 in the email
>> > announcement. The Release and Packages files for the archive have SHA1
>> > and SHA256. The md5 from the announcement is almost not important,
>> > IMO -- no one should download files individually from the announcement.
>> If no one should download files individually from the announcement,
>> there's no point in including that long list of package URLs and
>> hashes in the announcements at all. It would be enough to say, "Please
>> use apt or your favorite package manager to download the packages for
>> your system."
>This is not the first time this subject "collides" in this list, but I don't
>remember seeing a justification for such a long array of information I never
>understoo the use for.
>While I see the point of having an independent source for confirmation in case
>of panic, if the Release and Package files are to be trusted, it seems the
>version of the package should be enough, right?
>Can anyone please explain why that long list of links and filenames is
>interesting, or point to a link that does?
I use it to find out the package names to update, and sometimes the
version. Often a piece of software spreads through several packages,
or is packaged as a lib, or has some other change in the name.
Of course this doesn't apply to stable, where users should just use
apt-get upgrade. For unstable more caution is necessary.