Should Fedora rpms be signed?
William Hooper
whooperhsd3 at earthlink.net
Fri Oct 29 13:18:19 UTC 2004
John Burton said:
[snip]
> As far as signing packages vs. signing meta-data... Digital signatures
> are like real signatures, you want to make sure they are actually attached
> to what you are signing.
[snip]
IIRC the discussion was that signed meta-data would have the signatures
attached to the MD5sums of the packages. The MD5sums of the download
could then be checked against the meta-data, verifying that the package is
the same as the package used to create the meta-data.
--
William Hooper
More information about the fedora-test-list
mailing list