[ No need to CC me, despite what the BTS does to Reply-To ] On Wed, 2002-08-07 at 02:42, Anthony Towns wrote:
> AIUI, that's usually avoided by listing the file size as well as the > md5sum. At the very least listing the expected file size gives you a > very easy check for a lot of accidental corruption. True. And actually any weaknesses in MD5 are rather irrelevant for this particular case, because a hostile attacker will be able to simply replace any of the checksum files they want. But I think it's a good idea to push SHA1 in general, so I used it. It would however be pretty trivial to modify the patch to use MD5, and to include the file size. > Wouldn't it be more sensible to put it in > > /var/lib/dpkg/checksums/foo.sha1 Yes it would. Thanks. I just did that in my local version; I'll send in a new patch after any other changes the dpkg maintainers require are made.
