This is different to Volker's result:
Well, lets not go into details and concentrate on the main issue instead: SuSE's MD5 sum scheme does not work too well.
If I knew how to work md5sum right I would be happy. With
I can see 2 problems with using md5sum, one more serious than the other: 1) There is no guarantee that SuSE will ever be able to ensure correct md5 sums are published. This is in the nature of things. Doesn't the number of incorrectly published md5 sums so far make a farce of the system? 2) It is not all that user-friendly IMHO.
pgp I think we have compatibility, licence and US export issues (**is it legal in France to use pgp for signature checking??)
This should be irrelevant. If the act of veryfying signatures by the user is illegal, does that make it illegal for SuSE to provide signed rpms? No. RH has provided pgp-signed rpms at least since version 4.0.
The SuSE CDs have pgp version 2.6.2 (as do RedHat CDs I think),
RH has nothing. Unless they have something on a US-only version, if they have one. The problem with RH is that it's an American distribution. Forget about any encryption software (at least until extremely recently). Likewise with the USA version of SuSE. Note that the USA and international versions of SuSE are not(!!) the same. The international one has a bulk of encryption software included. The USA one doesn't - reasons are well known.
but it seems that many suse-security list members use version 5 source release or version 6
This should also be irrelevant. As SuSE ships pgp 2.6.2 on all but the USA versions of the distribution, everyone has a working version of pgp to check the signatures. If someone wanted to install other versions of pgp and/or gpg as well, where is the problem?
binary release. 5 and 6 are not be compatible with my version of rpm, I think.
Then you have mis-configured your rpm, or rpm does not support pgp 5 and 6 (unlikely though I never checked). It supports pgp 2.6.2 and gpg; unless there is a command-arg difference between pgp 2 and 5/6 rpm itself sees no difference. rpm simply calls pgp as an external program (the details of which you can configure).
GPG is very young for me to totally trust it, yet. Does it work with rpm?
Yes. Red Hat signs their stuff with gpg since RH 6.0. I.e. for a while now. SuSE does not sign at all. It kind of makes me wince... Volker