On Fri, Dec 19, 1997 at 03:12:37PM +1300, Radu Duta wrote: > What I'm thinking is that maybe it should be the responsability of dpkg, > since it is the package manager after all. The package itself works as > is and there would be not much extra benefit from having the md5sums in > the package, though the MD5SUMs should still be there. Maybe they could > be calculated at installation time (this would affect performace obviously), > but it would be right thing to do.
Well, calculation at install time doesn't prevent somebody modifying the .deb (which is easy), especially in the case of non-official sites. Does dpkg check the MD5sum with the one in the Packages file or in the archive itself? Even then you could still tamper with an archive and recalculate the MD5sum for the Packages file or whatever. The only way to be really sure is the .dsc file I guess, which is pgp-signed by the real author. I would prefer build time. Hamish -- Hamish Moffatt, [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] Latest Debian packages at ftp://ftp.rising.com.au/pub/hamish. PGP#EFA6B9D5 CCs of replies from mailing lists are welcome. http://hamish.home.ml.org
