MD5sums on linuxfromscratch.org

Karl Wilbur karl at karlwilbur.net
Wed Jan 21 05:54:02 PST 2004


I am trying to download the packages either using the wget script or by
downloading the single tar.  In both cases, there is no reliable way to
confirm integrity of the packages.

The way that MD5sums are supposed to be used, a single main site
provides the md5sum list so that after downloading from a mirror, one
can check the mirror's files against the 'known good' sums on the main
site.  However, each mirror has their own MD5SUMS, and they do not match
each other!  In fact, one of them does not even conform to the same
format as the others.

In addition, the idea of PGP/GPG keys is that you must be able to trust
a key so that you can use it to confirm authenticity.  However, each
mirror also has its own copy of Gerard Beekman's GPG key.  There is a
way to download it from linuxfromscratch.org, but this link is
obfuscated on the Packages page, the wording of which implies that it is
a copy of the GPG signature for the file, provided at the 'official
download site.'

Without a central MD5sum list, there is no way to confirm the integrity
of the mirrors.  Without a reliable place to get Gerard Beekman's GPG
key, there is no way to be able to trust the many copies there are out
there.  At the very least, the key should be provided to all keyservers
out there, starting with MIT's (http://pgp.mit.edu/).  There should
absolutely be a way to verify the integrity of these source files before
compiling them.

What I would like to see is a signed MD5sum list of all LFS packages and
signed MD5sum list of all of the BLFS packages on the
linuxfromscratch.org site. In this way there is one trusted central
location for MD5sums.

If there is any way that I can help with this please let me know. I am
very willing to help.

-Karl



More information about the website mailing list