gtk-xfce-engine MD5 sum problem

theid heidesch at
Tue Nov 8 01:36:29 CET 2005

Well gmail's being a PITA today, and apparently I can't send mail to the
list from an address not already subscribed, as I tried last week on a
different subject.

What I was going to say is that an identical package with a different md5
sum is a negligible problem for a package maintainer (just increment the
revision and update the md5) but a big problem for the mirrors. Multiple
projects and multiple software versions can be drawing upon the same
repository and will get confused with md5 verifications.


On 11/7/05, LiNuCe <linuce at> wrote:
> Mon, 07 Nov 2005 07:41:49 +0100 - Olivier Fourdan <fourdan at> :
> > (...)
> >
> > The versions are identical, but packages are rebuilt for each
> > release, which means that the md5sum might be different (the tar
> > containts dates that might change due to the generated files)
> >
> > The MD5 sum is mainly to verify that the downloaded files are
> > complete, as there is no digital signature, it should not be
> > considered at a security proof.
> Sorry, I was talking about authenticity, not about security, even if
> authenticity could imply security in a sense that the software comes
> from a trusted source, even if it is downloaded from a comprimosed
> mirror as everyone could check authenticity of files. What I mean is
> that if I could have ensured that the new MD5 sum was signed by the
> Xfce project, I would not have asked if there was something wrong. The
> different MD5 sums between both files supposed to contain the same
> software could mislead Xfce packagers.
> However, GPG usage was just a suggestion "en passant" : I don't want
> to be insistent and I don't wish to bother you by starting an
> annoying, long thread about the usefulness of GPG and authenticity
> checking.
> Oh, and thanks you all for your work on XFCE :)
> --
> Lucien Nardini
> _______________________________________________
> Xfce4-dev mailing list
> Xfce4-dev at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Xfce4-dev mailing list