On Fri, Oct 18, 2002 at 10:48:16AM -0400, R. Bradley Tilley wrote: > Why can't apt-get be modified to check the md5sum of a package against an > official debian md5sum list before downloading and installing debs? This > seems much simpler and easier than signing debs.
It does. The problem is, how to get an official debian md5sum list? This is, basically, what apt-check-sigs does. It checks the validity of the Packages files (which contains md5sums of individual packages) with a gpg signature. Jan
