Re: [RFH] The need for signed packages and signed Releases (long, long)

To: debian-devel@lists.debian.org
Subject: Re: [RFH] The need for signed packages and signed Releases (long, long)
From: Alexander Neumann <alexander@debian.org>
Date: Tue, 12 Nov 2002 17:11:32 +0100
Message-id: <[🔎] 20021112161132.GI12307@bumpern.de>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] Pine.LNX.4.33.0211121001260.31185-100000@gradall.private.brainfood.com>
References: <[🔎] 20021112152156.GH12307@bumpern.de> <[🔎] Pine.LNX.4.33.0211121001260.31185-100000@gradall.private.brainfood.com>

Adam Heath wrote:
> Hardly.  If the deb is signed, and verfied, then we know the file contents are
> valid.  Why do a double check against some possibly non-existant internal
> md5sums file?

Right, when signing both, data.tar.gz and control.tar.gz. The
suggestion was only to sign control.tar.gz...

> dpkg 2.0 will be generating file checksums anyways during install, so this
> particular point will be moot.

Cool!

- Alexander

Attachment: pgppmumolXWd1.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Re: [RFH] The need for signed packages and signed Releases (long, long)
  - From: Vincent Zweije <zweije@xs4all.nl>

References:
- Re: [RFH] The need for signed packages and signed Releases (long, long)
  - From: Alexander Neumann <alexander@debian.org>
- Re: [RFH] The need for signed packages and signed Releases (long, long)
  - From: Adam Heath <doogie@debian.org>

Prev by Date: Re: Discussion - non-free software removal
Next by Date: Re: Some odd idea on /etc/modules
Previous by thread: Re: [RFH] The need for signed packages and signed Releases (long, long)
Next by thread: Re: [RFH] The need for signed packages and signed Releases (long, long)
Index(es):
- Date
- Thread