On Wed, 2013-08-14 at 12:24 +0200, Björn Persson wrote: > Speaking of security, how is the integrity of the bmap file itself > verified? This is not implemented, unfortunately. This is another thing which I probably would need to do, and this is a very good point. I will look at this, after I do the SHA256 thing. > A checksum is of no use if you don't know who generated the > checksum. Fedora's checksum files are OpenPGP signed, as you can see > in > the one that Till linked to. Right, bmap file could also contain such a signature. > I don't see a cryptographic signature in > your example file. Are there detached signatures for the bmap files? Well, of course detached signatures can be generated. > And does Bmaptool verify the signatures? But no, bmaptool does not verify them. And again, if there is real interest from Fedora community, I will try to implement this faster (or accept someone's contribution :-)) Thanks for the feed-back! -- Best Regards, Artem Bityutskiy -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
