George Bonser <[EMAIL PROTECTED]> writes: >Note that I am using the apt method of dselect using the round-robin >mirrors so I have no idea which site I was really connected to when I got >the bad .deb
Does apt check the MD5sum of the package against that in the Packages file? Does dpkg do that (I suppose not, since I don't think it reads Packages files)? If neither of them do, shouldn't one of them do it? Which one? (I.e. against which package should I send a bug report? :)) Another idea for a new feature in the packaging system: I think it would be a good thing to include a PGP or GPG signature of the Packages file in the distribution. This could be automatically generated (filename Packages.sig or something) by whatever adds packages to ftp.debian.org. Someone could generate a key for it, and add the key to debian-keyring, perhaps signed by a couple of maintainers. The signature should simply validate that the Packages file is identical to that on ftp.debian.org; that is, it is unmodified from an official Debian distribution. Of course, it would also be nice if something checked the signature automatically; apt could do this after downloading the Packages file, or dpkg --update-avail could do it, if given access to the signature somehow. Just an idea... (I don't read debian-devel, so if you want to say something to me, mail to debian-user or to me directly.) -- -=- Rjs -=- [EMAIL PROTECTED]