As there seems to be constant problems with md5sums, would it be possible to set up a http-service offering md5-sums of the distribution- and update files thus removing the need to have related security posting whenever you need to check the authentity of any file you have. These transfers could possibly be signed by SuSE:s private pgp key so that authentity could be checked against the public key printed on SuSE manual.
I brought this up a month ago but there was no reaction from SuSE at all. As SuSE continually publishes incorrect md5 sums, or misses publishing some altogether, I do not really attribute that much security to those sums which are published (perhaps I'm paranoid). As an additional pain with those md5sums, I have not yet found a way how to conveniently check e.g. db53e002b6be652b31262bf89be0c31a ftp://ftp.suse.com/pub/suse/ i386/update/6.4/a1/aaa_base-2000.5.2-0.i386.rpm Do I really have to load this into an editor and meddle with it, because otherwise md5sum (the command) barfs about the path in front of the filename? What I suggest is what Red Hat has been doing for many years: sign the rpms with either pgp, gpg, or both. Fixes the problem in the most user-friendly way. Oh yes, md5 sums could still be published... Volker