On Sun, Aug 22, 2010 at 05:23:17PM +0200, bendeguz wrote: > On Sun, Aug 22, 2010 at 02:37:27PM +0100, Ken Moffat wrote: > > > > Actually, the situation is worse than that! For most packages > > in the BLFS book, the md5sum was generated by an editor. > > I'm sure the gentoo sha sums are similar. > > > > Please forgive my stupidity, but I'm afraid I don't > clearly undersand you. Would you please be so kind > and lighten me up? > > bendeguz > -- We have the following situations:
1. The package maintainer uploads an md5 or sha to the directory where people download the tarball. No doubts that the sum is a match for the unaltered source. Unfortunately, very few packages are in this group. 2. The package is available. Someone runs md5sum or shasum to record the 'signature' of the tarball they used. If that was with unaltered source code, this is good enough. But if the source code had already been hacked ... ĸen [ or for you, 'ken' since you can't render my preferred character ]. -- das eine Mal als Tragödie, das andere Mal als Farce -- http://linuxfromscratch.org/mailman/listinfo/blfs-support FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
