On Wed, Aug 07, 2002 at 01:56:36PM -0400, Colin Walters wrote: > On Wed, 2002-08-07 at 02:42, Anthony Towns wrote: > True. And actually any weaknesses in MD5 are rather irrelevant for this > particular case, because a hostile attacker will be able to simply > replace any of the checksum files they want.
Well, unless you backup /var/lib/dpkg/checksums/ to WORM media, like a CD ROM or paper. I had the coolest little "hack" that'd let you verify large numbers of md5sums by hand from paper once... (think binary-trees, and md5sums of md5sums) But the key part of this is to have dpkg generate the md5sums at install time. I suppose it'd actually be handy if you could generate the md5sums just from the .deb without having to unpack it, too. Cheers, aj -- Anthony Towns <[EMAIL PROTECTED]> <http://azure.humbug.org.au/~aj/> I don't speak for anyone save myself. GPG signed mail preferred. ``If you don't do it now, you'll be one year older when you do.''
