On Sat, Mar 25, 2000 at 11:03:11PM +0100, Robert Bihlmeyer wrote:
> Chris Frey <cdfrey@foursquare.net> writes:
> > So my question is, what are your thoughts on adding a signature to the
> > current Packages.gz file, or adding a similar *dsc file for it,
> > which is then signed?
> Do you want to sign each package entry, or the whole file? Whose
> signature would be used?
The whole file --- verifying each entry would take at least three minutes
on my hardware, and god knows how long on anything moderately old or
outdated. I certainly wouldn't want to try it on m68k on a regular basis,
eg. (If doing something just once takes a second; doing it 4000 times
takes a bit over an hour)
Whose key should be used? Probably a special one just for dinstall,
that's kept fairly securely by the Novare and -admin folks, and revoked
regularly.
There doesn't really seem a huge amount of choice here, to me.
Cheers,
aj
--
Anthony Towns <aj@humbug.org.au> <http://azure.humbug.org.au/~aj/>
I don't speak for anyone save myself. GPG encrypted mail preferred.
``The thing is: trying to be too generic is EVIL. It's stupid, it
results in slower code, and it results in more bugs.''
-- Linus Torvalds
Attachment:
pgprSCgWT4fhd.pgp
Description: PGP signature