Re: debsums: no md5sums for a lot of important packages on sarge

Alexandros Papadopoulos <apapadop@alumni.cmu.edu> schrieb:
> debsums: no md5sums for ssh

cant reproduce this one. Package ships with md5sums on sarge here.

> So I believe the above output NOT to be the result of a breach. My
> question is, is it acceptable to have so many important and widely
> used packages in *stable* without MD5 checksums?

you cant trust debsums anyway, since the files containing the md5 hashes are not signed.

> Secondly, how can one fix this on a production system? Is the
> following method proposed by Paul Gear @
> http://lists.debian.org/debian-security/2005/06/msg00126.html the
> best/only way?

newer debsum versions support creation of sums for packages which do not ship a md5sum file.

"debsums can generate checksum lists from deb archives for packages that don't  include one."

bye,

• michael

-- 
To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.debian.org Links debian-announce debian-apache debian-arm-changes debian-beowulf debian-boot debian-cd debian-cd-vendors debian-changes debian-changes-digest debian-isp debian-kde debian-laptop debian-mirrors-announce debian-news debian-security debian-security-announce debian-testing debian-user debian-user-digest Request more information about Pantek