gtk-xfce-engine MD5 sum problem

LiNuCe linuce at gmail.com
Mon Nov 7 21:25:57 CET 2005


Mon, 07 Nov 2005 07:41:49 +0100 - Olivier Fourdan <fourdan at xfce.org> :
> (...)
> 
> The versions are identical, but packages are rebuilt for each
> release, which means that the md5sum might be different (the tar
> containts dates that might change due to the generated files)
> 
> The MD5 sum is mainly to verify that the downloaded files are
> complete, as there is no digital signature, it should not be
> considered at a security proof.

Sorry, I was talking about authenticity, not about security, even if
authenticity could imply security in a sense that the software comes
from a trusted source, even if it is downloaded from a comprimosed
mirror as everyone could check authenticity of files. What I mean is
that if I could have ensured that the new MD5 sum was signed by the
Xfce project, I would not have asked if there was something wrong. The
different MD5 sums between both files supposed to contain the same
software could mislead Xfce packagers.

However, GPG usage was just a suggestion "en passant" : I don't want
to be insistent and I don't wish to bother you by starting an
annoying, long thread about the usefulness of GPG and authenticity
checking.

Oh, and thanks you all for your work on XFCE :)

-- 
Lucien Nardini
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://mail.xfce.org/pipermail/xfce4-dev/attachments/20051107/1787e5c5/attachment.pgp>


More information about the Xfce4-dev mailing list