Bear Giles <[EMAIL PROTECTED]> wrote: > But you're biting your own tail here. Where do you get that "good" > checksum?
Any place which is acceptable to the package maintainer -- perhaps out of a pgp signed archive. If the package maintainer can't produce a trustable package, it doesn't matter how fancy you get. Bootstrapping is hard -- best you can do for the general case is compare notes after you've gotten a secure system up. The one thing you have going for you is that corrupted packages have to be visible, to someone, or they're no danger. -- Raul
