checksums of packages

bendeguz mailinglists00 at
Mon Aug 23 14:19:57 PDT 2010

On Mon, Aug 23, 2010 at 07:55:03PM +1200, Simon Geard wrote:
> On Sun, 2010-08-22 at 19:03 -0500, Bruce Dubbs wrote:
> > bendeguz wrote:
> > 
> > > 2. This means it could be possible for some package to have 
> > > false checksums on the whole internet?
> > > So you can't be absolutely sure, that you have downloaded a package
> > > in the form the maintainer built it?
> > 
> > It's possible, but quite unlikely.  It would be discovered and all over 
> > the net pretty quickly.  There are a lot of packages that have optional 
> > crypto signatures too.  See e.g. openssl.
> More than just openssl - for almost everything in LFS itself, the
> download sites provide GPG signatures, and it seems to be the norm for
> anything hosted on or When such signatures are
> available, I make a point of checking them.
> Of course, GPG signatures don't mean anything either, if you don't make
> some effort at verifying the keys they're signed with. It's not really
> practical to verify them face-to-face with their owners, but I usually
> throw the key ID into Google, and check that I get some hits on relevant
> mailing lists. If there are messages from the developers citing that as
> the correct key, it's probably good (assuming their server isn't
> hopelessly compromised and the mailing list archives tampered with).
> Simon.

Well, while installing the base lfs and x I only checked the md5sums 
in the book. I hope it's enough. It would have taken a lot of time
to check checksums at different places. I was glad I finished installing
and I didn't go mad:)

The gentoo portage tree has a "Manifest" file which contains the checksums
of a package and it's all GPG signed.

Thank you for the suggestions so far, let me now if you have more...:)

> -- 
> FAQ:
> Unsubscribe: See the above information page

More information about the blfs-support mailing list