gtk-xfce-engine MD5 sum problem

theid heidesch at gmail.com
Tue Nov 8 01:36:29 CET 2005 

Well gmail's being a PITA today, and apparently I can't send mail to the
list from an address not already subscribed, as I tried last week on a
different subject.

What I was going to say is that an identical package with a different md5
sum is a negligible problem for a package maintainer (just increment the
revision and update the md5) but a big problem for the mirrors. Multiple
projects and multiple software versions can be drawing upon the same
repository and will get confused with md5 verifications.

-Todd

On 11/7/05, LiNuCe <linuce at gmail.com> wrote:
>
> Mon, 07 Nov 2005 07:41:49 +0100 - Olivier Fourdan <fourdan at xfce.org> :
> > (...)
> >
> > The versions are identical, but packages are rebuilt for each
> > release, which means that the md5sum might be different (the tar
> > containts dates that might change due to the generated files)
> >
> > The MD5 sum is mainly to verify that the downloaded files are
> > complete, as there is no digital signature, it should not be
> > considered at a security proof.
>
> Sorry, I was talking about authenticity, not about security, even if
> authenticity could imply security in a sense that the software comes
> from a trusted source, even if it is downloaded from a comprimosed
> mirror as everyone could check authenticity of files. What I mean is
> that if I could have ensured that the new MD5 sum was signed by the
> Xfce project, I would not have asked if there was something wrong. The
> different MD5 sums between both files supposed to contain the same
> software could mislead Xfce packagers.
>
> However, GPG usage was just a suggestion "en passant" : I don't want
> to be insistent and I don't wish to bother you by starting an
> annoying, long thread about the usefulness of GPG and authenticity
> checking.
>
> Oh, and thanks you all for your work on XFCE :)
>
> --
> Lucien Nardini
>
>
> _______________________________________________
> Xfce4-dev mailing list
> Xfce4-dev at xfce.org
> http://foo-projects.org/mailman/listinfo/xfce4-dev
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.xfce.org/pipermail/xfce4-dev/attachments/20051107/8f67c6e0/attachment.html>

More information about the Xfce4-dev mailing list