Re: Bug#540215: Introduce dh_checksums, clear-signed checksum
On Wed, Mar 10, 2010 at 11:22:00PM +0100, Frank Lin PIAT wrote:
> I made some tests, and it seems that we could allow,but not require, GPG
> signed checksum-file. sha256sum will ignore invalid lines by default
> (unless you specify --warn option).
>
> Similarly, the policy could state that GPG clear-signed shasum files are
> allowed. Tools using shasum should still strip the signature, especially
> when using the checksum for security purpose.
Is there any good reason not to use a detached signature in a
separate file instead? I know that doubles the number of files, but
it also reduces the raw size by around 47 bytes and simplifies
parsing of the checksum files themselves.
--
{ IRL(Jeremy_Stanley); PGP(9E8DFF2E4F5995F8FEADDC5829ABF7441FB84657);
SMTP(fungi@yuggoth.org); IRC(fungi@irc.yuggoth.org#ccl); ICQ(114362511);
AIM(dreadazathoth); YAHOO(crawlingchaoslabs); FINGER(fungi@yuggoth.org);
MUD(fungi@katarsis.mudpy.org:6669); WWW(http://fungi.yuggoth.org/); }
Reply to: