Hello world, wou...@celtic:/var/lib/dpkg/info$ ls *md5sums|wc -l 2340 wou...@celtic:/var/lib/dpkg/info$ ls *sums|wc -l 2340 wou...@celtic:/var/lib/dpkg/info$ dpkg -l|sed -e'1,/=====/d'|wc -l 2483
I must say I was somewhat surprised by these numbers. Out of 2483 packages installed on my laptop, 2340 install md5sums. While that might've been useful at some point, I don't think it still is. In this day and age of completely and utterly broken MD5[0], I think we should stop providing these files, and maybe provide something else instead. Like, I dunno, shasums? Or perhaps gpgsigs? But stop providing md5sums. Or is it useful to be able to say "if it doesn't check out, it's certainly corrupt, and if it does check out, it may be corrupt"? Didn't think so. Thoughts? [0] No reference. It's all over the internet. If you didn't know about MD5 being broken yet, where have you been sleeping these past few years? -- The biometric identification system at the gates of the CIA headquarters works because there's a guard with a large gun making sure no one is trying to fool the system. http://www.schneier.com/blog/archives/2009/01/biometrics.html
signature.asc
Description: Digital signature
