On Wed, Jan 18, 2017 at 10:14:46AM +1100, Stuart Prescott wrote: > The hashes inside the .dsc file are not used in Debian once the package has > been accepted by dak. > > * The trustable way of getting the source package is with apt-get source, > when apt verifies the Release signature → hashes → Sources → hashes for each > part of the source package: dsc, orig.tar.gz, diff.gz/diff.tar.xz
so this "trustable" way of getting the source packages relies on a piece of software, dak, running 24/365 on a machine (administrated by some volunteers in their free time) on the internet, to not to be compromised? I'm not sure I can really trust this very much. > * The not-really-trustable way of getting the source package is with "dget > http://.../package.dsc";. Using the dsc directly, dget will check the > signature on the dsc and check the hashes. I'd really like to see strong hashes used here. (and btw, let's drop md5sums for buster, "maybe", _completly_, or how long do we want to be joked about?) -- cheers, Holger
signature.asc
Description: Digital signature
