On 2025-09-19 14:27:59 -0400, Jeffrey Walton wrote: > The list of MD5 sums of each package is signed, so their authenticity > can be verified using the signature. See > <https://www.debian.org/doc/manuals/securing-debian-manual/deb-pack-sign.en.html>.
The authenticity is not the only requirement for security. You also need to have a way to ensure that the packages are up-to-date. With HTTP, connections can be redirected to a repository with obsolete, vulnerable packages. -- Vincent Lefèvre <[email protected]> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / Pascaline project (LIP, ENS-Lyon)
