31 Aug
2000
31 Aug
'00
23:33
Are you talking about MD5 sums in a list file on the FTP server? In that case this wouldn't make any sense: who is able to change the RPM packages, would be able to change the list file too...
They publish the MD5's in securty announcements that are sent to Bugtraq/etc. These MD5 sums are available in many places, such as my weekly Linux security digest.
And perhaps this could then be PGP signed?
Good point! I remember we had this topic here already, and IIRC suse is going to sign in the future. Or maybe SuSE 7.0 is already signed?
I seem to rmeber that too. In any case I'll be doing a review of it when it comes out and they'll be roasted (just like I did Debian =) if packages are not signed.
oki,
Steffen
-Kurt