[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [RFH] The need for signed packages and signed Releases (long, long)



Adam Heath wrote:
> Hardly.  If the deb is signed, and verfied, then we know the file contents are
> valid.  Why do a double check against some possibly non-existant internal
> md5sums file?

Right, when signing both, data.tar.gz and control.tar.gz. The
suggestion was only to sign control.tar.gz...

> dpkg 2.0 will be generating file checksums anyways during install, so this
> particular point will be moot.

Cool!

- Alexander

Attachment: pgpTTo04rVM9O.pgp
Description: PGP signature


Reply to: