* Sjors Gielen: > Kees Cook wrote: >> Additionally, it doesn't matter -- it's just the md5 in the email >> announcement. The Release and Packages files for the archive have SHA1 >> and SHA256. The md5 from the announcement is almost not important, >> IMO -- no one should download files individually from the announcement. > > So if the Release and Packages files are using SHA1 and SHA256, why > aren't the announcements?
Historical reasons, from the days where you got Debian on a set of CD-ROMs and repositories were not cryptographically signed. If we change the format of the announcements, we'd rather drop the hashes altogether (and the URLs). The hashes are somewhat hard to verify anyway because you need to follow the Debian project pretty closely to figure out if the signature on the advisory is genuine because it's created by individual developers. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
