@ai6yr @Viss "If it's got the right SHA checksum... "

And this right here is why I think Debian's approach of "only sign the indices, packages just need checksums" is hazardous. Checksums are NOT designed as a mechanism to prevent malicious tampering, only to detect accidental file damage.

I have heard rumbles (but not kept up) that Debian is going to start requiring reproducible builds. I can only hope this will come with a signature requirement or itself fulfill enough integrity checks to make this less uncomfortable for everyone.

(Although I should really finish my coffee first as here it's an install script NOT the package manager that is relying on a hash. Which might honestly be the best thing it had access to.)

@ai6yr @Viss Yeah, the answer is sadly right here:

https://salsa.debian.org/debian/b43-fwcutter/-/commit/5a328aadbd836a27ea3c320645fede7f1d272905?file_path=debian%2Ffirmware-b43-installer.postinst#note_715419

Rest in peace, Larry Finger.

@ai6yr

Who needs algorithms

@CliffsEsport @ai6yr @wendinoakland

"Thousands of Orange County residents remained under evacuation orders Friday after officials warned that a massive storage tank leaking hazardous chemicals at a Garden Grove aerospace facility could potentially rupture or explode.

Fire officials said in a news conference Friday that the situation had escalated significantly overnight and warned that crews had been unable to fully stabilize the overheating 34,000-gallon tank containing methyl methacrylate, a volatile and highly flammable industrial chemical.

“This is not precautionary… this thing is gonna fail, and we don’t know when,” said Division Chief Craig Covey during a Friday afternoon press conference. “We’re doing our best to figure out when or how we can prevent it.”"

https://ktla.com/news/orange-county/thousands-evacuated-again-after-toxic-tank-leak-in-garden-grove/