On Fri, Feb 06, 2004 at 03:53:45AM -0500, Todd wrote: > > The gpg check is the one I prefer to use. The Fedora.us wiki's > suggest gpg signed md5 hash files to go along with the uploaded > packages and most of the packages submitted so far for FL have done > this, though I have to wonder what the point is. If you check the gpg > signature of the md5 file and then use the md5 file to check the > packages, you might as well just use gpg to check the packages > directly. (Hope that didn't leave you more confused than you were > before.) There is a good reason to use gpg signed md5's, and it is that as it is clear, some people don't know gpg, but are capable of verifying an md5 sum. So if you know gpg you can get the md5 and check the gpg, if you don't you can at least compare the md5 (clearly not very secure, but at least something). Carlos PS: Sorry I entered so late to this thread, I'm behind on mail reading...
