Re: [RFH] The need for signed packages and signed Releases (long, long)

To: debian-devel@lists.debian.org
Cc: <debian-devel@lists.debian.org>
Subject: Re: [RFH] The need for signed packages and signed Releases (long, long)
From: Adam Heath <doogie@debian.org>
Date: Tue, 12 Nov 2002 10:02:27 -0600 (CST)
Message-id: <[🔎] Pine.LNX.4.33.0211121001260.31185-100000@gradall.private.brainfood.com>
In-reply-to: <[🔎] 20021112152156.GH12307@bumpern.de>

On Tue, 12 Nov 2002, Alexander Neumann wrote:

> Hi,
>
> Glenn McGrath wrote:
> > It would only need to sign the control.tar.gz as the contents of the
> > data.tar.gz could be verified from the ./md5sums within control.tar.gz
>
> That's true, but AFAIR the md5sums-file is optional. If we want to use
> it to verify the contents of data.tar.gz it must be required by the
> policy.

Hardly.  If the deb is signed, and verfied, then we know the file contents are
valid.  Why do a double check against some possibly non-existant internal
md5sums file?

dpkg 2.0 will be generating file checksums anyways during install, so this
particular point will be moot.

Reply to:

Follow-Ups:
- Re: [RFH] The need for signed packages and signed Releases (long, long)
  - From: Alexander Neumann <alexander@debian.org>

References:
- Re: [RFH] The need for signed packages and signed Releases (long, long)
  - From: Alexander Neumann <alexander@debian.org>

Prev by Date: Re: Discussion - non-free software removal
Next by Date: Re: Migration of non-free packages to testing
Previous by thread: Re: [RFH] The need for signed packages and signed Releases (long, long)
Next by thread: Re: [RFH] The need for signed packages and signed Releases (long, long)
Index(es):
- Date
- Thread