Mailinglist Archive: opensuse-security (192 mails)

< Previous Next >
Re: [suse-security] md5sums
  • From: Volker Kuhlmann <kuhlmav@xxxxxxxxxxxxxxxxxxxxx>
  • Date: Fri, 05 May 2000 09:48:38 +1200 (NZST)
  • Message-id: <200005042148.JAA06057@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
> As there seems to be constant problems with md5sums, would it be
> possible to set up a http-service offering md5-sums of the distribution-
> and update files thus removing the need to have related security posting
> whenever you need to check the authentity of any file you have. These
> transfers could possibly be signed by SuSE:s private pgp key so that
> authentity could be checked against the public key printed on SuSE
> manual.

I brought this up a month ago but there was no reaction from SuSE at all.

As SuSE continually publishes incorrect md5 sums, or misses publishing
some altogether, I do not really attribute that much security to those sums
which are published (perhaps I'm paranoid).

As an additional pain with those md5sums, I have not yet found a way
how to conveniently check e.g.

db53e002b6be652b31262bf89be0c31a ftp://ftp.suse.com/pub/suse/
i386/update/6.4/a1/aaa_base-2000.5.2-0.i386.rpm

Do I really have to load this into an editor and meddle with it,
because otherwise md5sum (the command) barfs about the path in front of
the filename?

What I suggest is what Red Hat has been doing for many years: sign
the rpms with either pgp, gpg, or both. Fixes the problem in the most
user-friendly way. Oh yes, md5 sums could still be published...

Volker

< Previous Next >
Follow Ups