Re: [RFH] The need for signed packages and signed Releases (long, long)

To: debian-devel@lists.debian.org
Subject: Re: [RFH] The need for signed packages and signed Releases (long, long)
From: Vincent Zweije <zweije@xs4all.nl>
Date: Tue, 12 Nov 2002 19:52:42 +0100
Message-id: <[🔎] 20021112185242.GA71177@xs4all.nl>
Mail-followup-to: Vincent Zweije <zweije@xs4all.nl>, debian-devel@lists.debian.org
In-reply-to: <[🔎] 20021112161132.GI12307@bumpern.de>
References: <[🔎] 20021112152156.GH12307@bumpern.de> <[🔎] Pine.LNX.4.33.0211121001260.31185-100000@gradall.private.brainfood.com> <[🔎] 20021112161132.GI12307@bumpern.de>

On Tue, Nov 12, 2002 at 05:11:32PM +0100, Alexander Neumann wrote:

||  Adam Heath wrote:
||  > Hardly.  If the deb is signed, and verfied, then we know the file
||  > contents are valid.  Why do a double check against some possibly
||  > non-existant internal md5sums file?
||
||  Right, when signing both, data.tar.gz and control.tar.gz. The
||  suggestion was only to sign control.tar.gz...

Signing just control.tar.gz seems wrong to me.  If you want to
assert that data.tar.gz is valid, sign it.  Don't make software
infer the validity of data.tar.gz using an additional md5sum step.
Kiss.

It's just a case of expressing what you mean as directly as possible.

Ciao.                                                        Vincent.

Reply to:

References:
- Re: [RFH] The need for signed packages and signed Releases (long, long)
  - From: Alexander Neumann <alexander@debian.org>
- Re: [RFH] The need for signed packages and signed Releases (long, long)
  - From: Adam Heath <doogie@debian.org>
- Re: [RFH] The need for signed packages and signed Releases (long, long)
  - From: Alexander Neumann <alexander@debian.org>

Prev by Date: Re: Migration of non-free packages to testing
Next by Date: Pavilion 04
Previous by thread: Re: [RFH] The need for signed packages and signed Releases (long, long)
Next by thread: Re: [RFH] The need for signed packages and signed Releases (long, long)
Index(es):
- Date
- Thread