From: debianmailinglists.hz...@simplelogin.com: > > I'm not a Debian developer, just a curious onlooker who hasn't seen all > of these messages, so I could completely off base with my understanding > of how things work. But, it was my understanding that the bundled MD5 > inside a .deb file isn't there for security, it's just there to make > sure the packages arrived in one piece and weren't corrupted, and for > that purpose it's still perfectly adequate. The "security", or > validity of the packages' origin, are ensured by the digital signature > on the packages or repos. A malicious package forged to match a > desired MD5 would still fail a digital signature check. > > Am I incorrect in how this all works?
As I understand things (corrections, please), the individual packages are usually not signed. Instead, the repository metadata is signed. The metadata has the MD5 checksums. Also see <https://en.wikipedia.org/wiki/Deb_(file_format)#Signed_packages>. Jeff
