Re: [RFH] The need for signed packages and signed Releases (long, long)
On Tue, 12 Nov 2002, Alexander Neumann wrote:
> Hi,
>
> Glenn McGrath wrote:
> > It would only need to sign the control.tar.gz as the contents of the
> > data.tar.gz could be verified from the ./md5sums within control.tar.gz
>
> That's true, but AFAIR the md5sums-file is optional. If we want to use
> it to verify the contents of data.tar.gz it must be required by the
> policy.
Hardly. If the deb is signed, and verfied, then we know the file contents are
valid. Why do a double check against some possibly non-existant internal
md5sums file?
dpkg 2.0 will be generating file checksums anyways during install, so this
particular point will be moot.
Reply to: