[prev in list] [next in list] [prev in thread] [next in thread] 

List:       debian-devel
Subject:    Re: debsums for maintainer scripts
From:       Anthony DeRobertis <asd () suespammers ! org>
Date:       2003-12-07 9:21:08
[Download RAW message or body]

On Fri, 2003-12-05 at 22:42, Goswin von Brederlow wrote:

> 
> The only reason attackers don't do it is because with rpm noone cares
> about the md5sums.

Would you care to provide some evidence as to why Debian having md5sums
on all pacakges would be any different for attackers than RedHat having
it? Please keep in mind:
      * Debian already has md5sums for many packages. 
      * RedHat already has md5sums on all packages
      * RedHat (probably) has a larger installed base than Debian
      * RedHat is more known than Debian to the general public

> Or the md5sum file was damaged.

The md5sum file is much smaller, and thus is much less likely to be hit
(by random chance)

> PS: even if debian had md5sum lists for each package they would be
> only current packages and not older version you would have installed.
> A signature inside the deb would last.

There is no technical reason we'd have to only have ones for the latest
version.

["signature.asc" (application/pgp-signature)]
-- 
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org


[prev in list] [next in list] [prev in thread] [next in thread]