Re: md5sums in security advisories
On Tue, Apr 24, 2001 at 07:12:44PM -0400, Michael Stone wrote:
> nonononono! We *already* have the md5's available in a web-accessible
> form in the mailing list archives. Having them on the wml pages is a Bad
> Thing. There is no associated signature to validate that the md5's
> haven't been tampered with. It is likely that anyone who could modify
> the binaries on pandora could *also* modify the web pages. Adding md5's
> to the web pages is a dangerously misleading false sense of security.
> Anyone who wants this information for the purpose of validating a
> security upload *must* use the pgp-signed version *already available.*
They were requested by Wichert and Joey, so make sure they agree.
At a minimum, there should be a link to the appropriate page in the
James (Jay) Treacy