* Christoph Anton Mitterer <cales...@scientia.net>, 2012-02-18, 16:19:
Take the non-free flash as example... (yeah I know it's non-free and
not officially sec-supported)..
Even if it would use some SHA512 sums (hardcoded into the package) to
verify the download (I don't know whether it does),.. the update
mechanism is still outsite of the package management system (on has
to call update-flash or something like that)... so you bypass the
whole central point of update management.
Completely agreed! We should remove flashplugin-nonfree from the
archive. Or wait, even simpler, you could just not install it.
FWIW, the Contents files _are_ signed, but AFAICS apt-file doesn't
verify the signature.
See #515942.
You can easily check yourself that Contents-* checksums are mentioned in
the Release files, even for lenny. (Though indeed they weren't in Feb
2009.)
Feel free to unarchive and reopen the bug.
--
Jakub Wilk
--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20120218144754.ga6...@jwilk.net
