Fine, but packages are updated on the ftp server for which there is never any advisory. Yet another reason why those MD5s aren't so useful.
And so, back to my original point: when you have taken the minimal care to include checksums in the advisory, please at least make sure that they are updated when the package itself is later updated. To make this point yet more explicit, I downloaded some packages whose checksums did not match the checksums in the advisories. I made the plausible inference that since their dates of posting were much after the advisory dates, the packages had been updated in the meantime, but not the checksums. Needless to say this is not much of a model of security, if security is your concern... and someone who is downloading patches for security advisories has, on the face of it, a concern for security.
[...]
a waste of time anyway. USE GPG-SIGNING - NOW!
Is on its way. But not for 7.0 any more - time was too tight.
:-(
I'm not sure I can imagine what the grave logistical impediment to
introducing signatures is. But we'll have to be happy with a firm
promise that they will be used in 7.1!
--
Corvin Russell