As an example, I just downloaded both k_deflt.rpm and lx_suse.rpm of
the 2.2.16 kernel. Since the advisory, which is at
http://www.suse.com/de/support/security/suse_security_announce_54.txt
the packages have been updated. So have the checksums. You can find
the new pckages and checksums at
ftp://ftp.suse.com/pub/suse/i386/update/6.4/kernel-2.2.16/
But the problem is that whereas the old checksums are signed as part
of the advisory, the new checksums are not. If you read the advisory,
"be sure to verify the checksums," and then, e.g., you see that what
is listed in the advisory as
SuSE Kernel Source Code: 41bde34659d93214af2cf5da6e7e2896
ftp.suse.com/pub/suse/i386/update/6.4/kernel-2.2.16/lx_suse.rpm
actually checksums as:
c8ecc307942b90e84c4e6058e3ade419 lx_suse.rpm
then what is the point? I know the new checksums have been given on
the ftp site, but it would be much more reassuring if the checksum
list, at least, were signed. Once the checksums have changed, the
original signature on the advisory is also fairly useless.
Corvin
--
Corvin Russell