[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [RFH] The need for signed packages and signed Releases (long, long)

Adam Heath wrote:
> Hardly.  If the deb is signed, and verfied, then we know the file contents are
> valid.  Why do a double check against some possibly non-existant internal
> md5sums file?

Right, when signing both, data.tar.gz and control.tar.gz. The
suggestion was only to sign control.tar.gz...

> dpkg 2.0 will be generating file checksums anyways during install, so this
> particular point will be moot.


- Alexander

Attachment: pgpf_0EMWJJpB.pgp
Description: PGP signature

Reply to: