[Stackless] MD5 checksums for gzipped tarballs?
gwhulbert at eol.ca
Fri Nov 2 12:29:39 CET 2007
On Fri, 2007-11-02 at 11:06 +0000, Richard Tew wrote:
> Perhaps it would be an idea to check in the MD5 checksums for the
> downloads into the python.org SVN? Or do we have somewhere more
> appropriate? In order to prevent the compromising of the checksums,
> should the downloads themselves be compromised somehow.
The debian packaging system solves this problem[*].
You just need a private copy of the md5sums in case a download site is
compromised. You still depend on the site admin reporting a problem.
Provides manifests (Packages, Source) with md5sums of .deb files (I
think the .deb file also has md5sums of its contents). The manifests
are listed in a Release file with their md5sums and a Release.pgp file
is provided. The debian installer checks the .pgp file. I think they
are migrating from md5 to sha1 now.
In this case you depend only on the GPG keys not being compromised.
More information about the Stackless