On Sun, Aug 22, 2010 at 06:50:42PM +0100, Ken Moffat wrote: > On Sun, Aug 22, 2010 at 05:23:17PM +0200, bendeguz wrote: > > On Sun, Aug 22, 2010 at 02:37:27PM +0100, Ken Moffat wrote: > > > > > > Actually, the situation is worse than that! For most packages > > > in the BLFS book, the md5sum was generated by an editor. > > > I'm sure the gentoo sha sums are similar. > > > > > > > Please forgive my stupidity, but I'm afraid I don't > > clearly undersand you. Would you please be so kind > > and lighten me up? > > > > bendeguz > > -- > We have the following situations: > > 1. The package maintainer uploads an md5 or sha to the directory > where people download the tarball. No doubts that the sum is > a match for the unaltered source. Unfortunately, very few packages > are in this group. > > 2. The package is available. Someone runs md5sum or shasum to > record the 'signature' of the tarball they used. If that was > with unaltered source code, this is good enough. But if the source > code had already been hacked ... > > ??en [ or for you, 'ken' since you can't render my preferred > character ]. > -- > das eine Mal als Tragödie, das andere Mal als Farce > -- > http://linuxfromscratch.org/mailman/listinfo/blfs-support > FAQ: http://www.linuxfromscratch.org/blfs/faq.html > Unsubscribe: See the above information page
Thank you for your explanation. 1. So, you mean, that there are very few package maintainers who uploads their checksums with the package? :S 2. This means it could be possible for some package to have false checksums on the whole internet? So you can't be absolutely sure, that you have downloaded a package in the form the maintainer built it? bendeguz > ??en [ or for you, 'ken' since you can't render my preferred > character ]. :), thanks -- http://linuxfromscratch.org/mailman/listinfo/blfs-support FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page