[Frank Lin PIAT] > Please, let's do the easy move *now* for Squeeze, using shasums, and > go ahead later with an even better solution.
Drawbacks: more CPU time on build daemons, slightly larger binary packages to download, and some disruption when we're trying to get a release out the door. Advantages: ... umm ... warm fuzzy feeling that we aren't relying on that old stupid broken MD5 thing that is so out of fashion these days among the cognoscenti? If you really want to use /var/lib/dpkg/info/pkg.*sums files for any purpose other than detecting non-malicious corruption, obviously you need _either_ some form of package signatures, _or_ a server akin to http://packages.debian.org/changelogs/ for serving checksums from a more trusted source. And of course if you have that sort of server support anyway - why not just calculate those sha16384 sums on the server, with no change to the debs at all? Peter -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100309165059.gr18...@p12n.org
