Re: [RFH] The need for signed packages and signed Releases (long, long)
On Tue, Nov 12, 2002 at 05:11:32PM +0100, Alexander Neumann wrote:
|| Adam Heath wrote:
|| > Hardly. If the deb is signed, and verfied, then we know the file
|| > contents are valid. Why do a double check against some possibly
|| > non-existant internal md5sums file?
|| Right, when signing both, data.tar.gz and control.tar.gz. The
|| suggestion was only to sign control.tar.gz...
Signing just control.tar.gz seems wrong to me. If you want to
assert that data.tar.gz is valid, sign it. Don't make software
infer the validity of data.tar.gz using an additional md5sum step.
It's just a case of expressing what you mean as directly as possible.