Peter Samuelson <[EMAIL PROTECTED]> writes: > I'd opt for dpkg generating the checksums upon _extracting_ the .deb > file. We already claim that the md5sums file isn't supposed to be any > kind of security thing. Why bother to ship it? It is redundant > information which can easily be regenerated on the user's system.
While it's not the be-all and end-all of security, other OS vendors (Sun in particular) have found it useful to make available a central database of MD5 checksums of known-good versions of various binaries. This has proven invaluable in not a few breakins and compromises when doing forensics. Since we have such a database essentially for free now in the form of the md5sums control files, I'd rather not take an approach that gets rid of it, even if it isn't a horribly effective security measure. -- Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
