While the arguments (especially file) are now checked to not allow dangerous stuff, one can still make it to show an arbitrary md5sum. Though the security impact is mostly limited to people posting links which make funny things show up on a Debian website (or very stupid users), it would still be better to fix that: I'd suggest to not show the md5sum here (it's anyway that low on a long page, that one seldom looks down there), and just add it on the package page after Package Size and Installed Size.
Hochachtungsvoll, Bernhard R. Link -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]