Are you talking about MD5 sums in a list file on the FTP server? In that case this wouldn't make any sense: who is able to change the RPM packages, would be able to change the list file too...
Just one of the reasons why those MD5 sums are not so useful, which I had argued a few times before on this list.
And perhaps this could then be PGP signed?
Good point! I remember we had this topic here already, and IIRC
Yep
They publish the MD5's in securty announcements that are sent to Bugtraq/etc. These MD5 sums are available in many places, such as my weekly
Fine, but packages are updated on the ftp server for which there is never any advisory. Yet another reason why those MD5s aren't so useful. They would be if they were handled properly, but that is very unlikely to happen.
I seem to rmeber that too. In any case I'll be doing a review of it when it comes out and they'll be roasted (just like I did Debian =) if packages are not signed.
Turn your oven on:
Date: Sun, 06 Aug 2000 22:43:12 +0200 (MEST) From: Roman Drahtmueller
Subject: Re: [suse-security] SuSE security reputation, etc.. Cc: suse-security@suse.com [...] a waste of time anyway. USE GPG-SIGNING - NOW!
Is on its way. But not for 7.0 any more - time was too tight.
:-( On the other hand, I keep in mind that SuSE has, and solves, a large pile of problems Red Hat simply doesn't have (e.g. languages). But I strongly suggested taht MD5s are useless and package signing a necessity when 6.3 was hot off the press!! Volker