MD5 sums for new CVS packages

Gerard Beekmans gerard at linuxfromscratch.org
Fri Jan 3 03:38:03 PST 2003


On January 3, 2003 02:21 am, Carsten Gehrke wrote:
> Hmm, my concern was actually that I wanted to make sure the files had not
> been tampered with.  I think I got everything from GNU.org, but couldn't
> find any PGP/GPG signatures there.  MD5 fingerprints on the same server are
> worthless.  If obtained from a different source, they are better than
> nothing.  Otherwise, I wait about a week to see if any reports of
> compromises occur.  For some packages, I have contacted the author
> directly, but in this case there are too many.  I was hoping someone here
> on the list might have copies of these files and could run MD5 on them.

I got the source from ftp.gnu.org too so it doesn't mean much if the packages 
were compromised. And I repack all downloaded packages (often they're not 
.bz2 yet) so MD5SUMS are different. All I can do is download the stuff from 
ftp.gnu.org and give you the MD5SUMS as I download them but that doesn't give 
you much of a guarantee, does it.

-- 
Gerard Beekmans
www.linuxfromscratch.org

-*- If Linux doesn't have the solution, you have the wrong problem -*-
-- 
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe lfs-support' in the subject header of the message



More information about the lfs-support mailing list