On Thu, 4 Sep 2003, Jason Haar wrote: | On Wed, Sep 03, 2003 at 09:37:13AM -0400, Renaud Deraison wrote: | > There is a GPG-signed MD5 file next to nessus-installer.sh | | Ah! I read filename "MD5" as meaning md5's of nessus-installer.sh, which I | never bothered downloading as if it's just a MD5, it's 100% likely to be | compromised whenever the package itself is :-) | | Perhaps "MD5.sig" would be more "normal"?
It is an MD5 checksum of the nessus-installer.sh. It is also likely to be modified by someone who wants to, but that's why the content of the file is itself signed inline. It is not a file containing the PGP signature for nessus-installer.sh, so .sig would be a bit misleading. Naming it MD5.asc might be appropriate if one were to need to imply it was a PGP file. But that's just my opinion.
