To whom it may concern,
dpkg currently uses MD5 to verify packages, but MD5 is considered
insecure, why not switch to SHA256 (and also update lintian)?
Also, to make verifying packages more useful, why not get a checksum
from a more trusted source, like a main Debian package repository to
compare with what is generated from a package from a mirror?
Are there any other ways to make check summing packages more useful?
Does dpkg or apt currently check packages checksums if you don't pass
dpkg --verify? Can the check summing ever cause a failure?
Please, include my email address in the CC if you respond to this
message. I am not subscribed to the mailing list.
--
David Campbell
