[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [RFH] The need for signed packages and signed Releases (long, long)

On Tue, 12 Nov 2002, Alexander Neumann wrote:

> Hi,
> Glenn McGrath wrote:
> > It would only need to sign the control.tar.gz as the contents of the
> > data.tar.gz could be verified from the ./md5sums within control.tar.gz
> That's true, but AFAIR the md5sums-file is optional. If we want to use
> it to verify the contents of data.tar.gz it must be required by the
> policy.

Hardly.  If the deb is signed, and verfied, then we know the file contents are
valid.  Why do a double check against some possibly non-existant internal
md5sums file?

dpkg 2.0 will be generating file checksums anyways during install, so this
particular point will be moot.

Reply to: