Scripsit [EMAIL PROTECTED] > why is the md5sums file useless and space wasting especially in > terms of security? until now, I was of the opinion, that the md5sum > gives me the guarantee that a debian package is not penetrated > before installation
No, that's what the checksum of the entire .deb file in the Packages file is there for. An attacker who can tamper with /usr/bin/foo within the .deb can just as easily tamper with the md5sums file within the .deb. > and further - after having the packages installed on a machine - the > md5sum files give me the confidence that the debian binaries are > correct and consistent. No. An attacker who changes the binaries can just as easily change the md5sum files stored in /var/lib/dpkg/info. If you go to a trusted copy of the .deb file for verifying your binaries, you have the original binaries right there, and do not need precomputed checksums for comparing them bit-for-bit with what's on your disk. It has been argued on debian-devel (read the thread!) that the md5sums files can be handy to have for detection of non-malicious random acts of God. But the sense of *security* gained by having the .deb install a set of checksums on the same machine as the package itself is false. -- Henning Makholm "Det er du nok fandens ene om at mene. For det ligger i Australien!"