Adam Heath wrote: > Hardly. If the deb is signed, and verfied, then we know the file contents are > valid. Why do a double check against some possibly non-existant internal > md5sums file? Right, when signing both, data.tar.gz and control.tar.gz. The suggestion was only to sign control.tar.gz... > dpkg 2.0 will be generating file checksums anyways during install, so this > particular point will be moot. Cool! - Alexander
Attachment:
pgppmumolXWd1.pgp
Description: PGP signature