It seems that there is now a bit of control : the md5sum indicated in the URL must be well-formed (good length and only hexadecimal digits).
But the problem remains that no control on the md5sum itself is done. You can direct someone on this page with any (well-formed) invalid md5sum. e.g. <http://packages.debian.org/cgi-bin/download.pl?arch=i386&file=pool%2Fmain%2Fd%2Fdietlibc%2Fdietlibc_0.30-4_i386.deb&md5sum=8b4192d23b18e2b6aa9204fc0ba65ead&arch=i386&type=main> <http://packages.debian.org/cgi-bin/download.pl?arch=i386&file=pool%2Fmain%2Fd%2Fdietlibc%2Fdietlibc_0.30-4_i386.deb&md5sum=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&arch=i386&type=main> et caetera. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]