Package: devscripts Version: 2.17.11 Followup-For: Bug #874029 > How many packages are like this type.
I can't tell you how many, but I can tell you that's how Mozilla does it too, so this applies to firefox, thunderbird, nspr and nss: https://download-installer.cdn.mozilla.net/pub/firefox/releases/52.5.3esr/SHA256SUMS.asc https://download-installer.cdn.mozilla.net/pub/thunderbird/releases/52.5.2/SHA512SUMS.asc https://download-installer.cdn.mozilla.net/pub/nspr/releases/v4.17/src/SHA256SUMS https://download-installer.cdn.mozilla.net/pub/security/nss/releases/NSS_3_34_1_RTM/src/SHA256SUMS Note there's actually no signature for nspr and nss (ironically). Which makes me think checking hashes without signatures could be useful too. I think I've seen other upstreams with hashes without signatures. Well, as a matter of fact, there are at least on the gnome ftp: http://ftp.gnome.org/pub/gnome/sources/glib/2.55/glib-2.55.0.sha256sum Sure, this is not secure, but security is not the only reason one might want to check hashes. You can just want to double check you got the right archive, and not something with some bit flips (although arguably, that would probably fail to uncompress). Mike _______________________________________________ devscripts-devel mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/devscripts-devel
