MD5 sums for new CVS packages

Carsten Gehrke carsten at rollinghorse.com
Fri Jan 3 09:25:55 PST 2003


At 03:38 03-01-03, Gerard Beekmans wrote:
>On January 3, 2003 02:21 am, Carsten Gehrke wrote:
> > Hmm, my concern was actually that I wanted to make sure the files had not
> > been tampered with.  I think I got everything from GNU.org, but couldn't
> > find any PGP/GPG signatures there.  MD5 fingerprints on the same server are
> > worthless.  If obtained from a different source, they are better than
> > nothing.  Otherwise, I wait about a week to see if any reports of
> > compromises occur.  For some packages, I have contacted the author
> > directly, but in this case there are too many.  I was hoping someone here
> > on the list might have copies of these files and could run MD5 on them.
>
>I got the source from ftp.gnu.org too so it doesn't mean much if the packages
>were compromised. And I repack all downloaded packages (often they're not
>.bz2 yet) so MD5SUMS are different. All I can do is download the stuff from
>ftp.gnu.org and give you the MD5SUMS as I download them but that doesn't give
>you much of a guarantee, does it.

I followed the bz2 links on Freshmeat, so I all files except sed are 
bz2.  But you are right, if you download them now it wouldn't really help 
me.  So, I have two questions:

1) How do you ensure that source files you download have not been altered?

For small packages, are small changes to packages where I have an older 
version available, I'll inspect the source for anything suspicious.  But if 
the changes are too great, that appraoch is not feasible.

2) When do you expect to release the next (4.1?) version of the book?

If you plan to do this in the near future, I'll just wait for that.  I've 
had some problems with gcc 3.2 in LFS 4.0, so I was hoping gcc 3.2.1 would 
help.  Of course, I'd wait about a week after you release it before I would 
actually start installing (I know, I'm using other LFS users as guinea pigs).

TIAA,

-- 
Carsten Gehrke     LFS No.: 190    using Linux since kernel 0.98
carsten at gehrke.org

-- 
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe lfs-support' in the subject header of the message



More information about the lfs-support mailing list