checksums of packages

Bruce Dubbs bruce.dubbs at gmail.com
Sun Aug 22 17:03:17 PDT 2010


bendeguz wrote:

> 2. This means it could be possible for some package to have 
> false checksums on the whole internet?
> So you can't be absolutely sure, that you have downloaded a package
> in the form the maintainer built it?

It's possible, but quite unlikely.  It would be discovered and all over 
the net pretty quickly.  There are a lot of packages that have optional 
crypto signatures too.  See e.g. openssl.

   -- Bruce



More information about the blfs-support mailing list