Even knowing that, there is no way to determine the
authenticity of the associated files. Its very risky
to install an OS whose authenticity can't be
determined. Without a signature, there is no way to
determine whether the files on the server have been
compromised or not.
Surely someone from SuSE can check to see if a
partially updated directory is the only problem and
update the files accordingly.
John
--- Robert Schiele
On Tue, Sep 06, 2005 at 06:51:54PM -0700, John Tigh wrote:
I have a question about the Suse 9.3 DVD download.
The MD5SUM file in the i386/9.3 directory on ftp.suse.com passes a GPG signature verification
with
RSA key 3D25D3D9.
Primary key fingerprint: 73 5F 2E 99 DF DB 94 C4 8F 5A A3 AE AF 22 F2 D5
This MD5SUM shows that the MD5 of the iso/MD5SUM file should be
e925073c164466c1338cd412406e5227 iso/MD5SUMS
but the actual MD5SUM is
27576262ff331b3b212cf2ea9d4a18ce MD5SUMS
is this an accident? Has there been a problem on ftp.suse.com that has resulted in an unauthorized modification of an MD5SUM file and the isos that it protects?
There was a change in the iso directory after 9.3 FTP tree was released and it was taken care to recreate the MD5SUM files on the upper level.
Robert
-- Robert Schiele Tel.: +49-621-181-2214 Dipl.-Wirtsch.informatiker mailto:rschiele@uni-mannheim.de
______________________________________________________ Click here to donate to the Hurricane Katrina relief effort. http://store.yahoo.com/redcross-donate3/