[Stackless] MD5 checksums for gzipped tarballs?

Guy Hulbert gwhulbert at eol.ca
Fri Nov 2 12:29:39 CET 2007


On Fri, 2007-11-02 at 11:06 +0000, Richard Tew wrote:
> Perhaps it would be an idea to check in the MD5 checksums for the
> downloads into the python.org SVN?  Or do we have somewhere more
> appropriate?  In order to prevent the compromising of the checksums,
> should the downloads themselves be compromised somehow.

The debian packaging system solves this problem[*].

You just need a private copy of the md5sums in case a download site is
compromised.  You still depend on the site admin reporting a problem.

[*] Debian.

Provides manifests (Packages, Source) with md5sums of .deb files (I
think the .deb file also has md5sums of its contents).  The manifests
are listed in a Release file with their md5sums and a Release.pgp file
is provided.  The debian installer checks the .pgp file.  I think they
are migrating from md5 to sha1 now.

In this case you depend only on the GPG keys not being compromised.

-- 
--gh






More information about the Stackless mailing list