On 2024-11-08 15:41:25 +0000 (+0000), Jeremy Stanley wrote: [...] > Now grab a package file like > https://deb.debian.org/debian/pool/main/o/openssh/ssh_9.9p1-3_all.deb > and unpack it (dpkg-deb ssh_9.9p1-3_all.deb foo) [...] Hopefully obvious, but that should have been `dpkg-deb -R ...` instead, sorry! As always, check example commands against a proper manpage before you run them. ;) On 2024-11-08 16:52:19 +0100 (+0100), SZÉPE Viktor wrote: [...] > I am a frequent debsums runner. debsums alerts you when a file > from a Debian package has changed. Please keep those MD5-s. Yes, you completely snipped the part where I suggested that the MD5 checksums are used by the debsums utility, and are useful for spotting on-disk changes to files after installation (mainly in cases of accidental corruption, e.g. after a fsck repair or something). I haven't seen anyone suggest removing them, and I'm not suggesting it either. Obviously running a tool locally to check a local copy of checksums for locally stored files isn't much of a security feature though, as an attacker who is able to alter those files probably also had sufficient access to alter the list of checksums, the checking tool, or anything else they desired anyway. This is not a fault of using MD5, and replacing it with a different algorithm wouldn't solve that regardless. -- Jeremy Stanley
Attachment:
signature.asc
Description: PGP signature