On Fri, 2004-10-29 at 09:18 -0400, William Hooper wrote:
> John Burton said:
> [snip]
> > As far as signing packages vs. signing meta-data... Digital signatures
> > are like real signatures, you want to make sure they are actually attached
> > to what you are signing.
> [snip]
>
> IIRC the discussion was that signed meta-data would have the signatures
> attached to the MD5sums of the packages. The MD5sums of the download
> could then be checked against the meta-data, verifying that the package is
> the same as the package used to create the meta-data.
This still forces me to use special tools like up2date and yum to access
the packages if I want to verify their origins.
Nils
--
Nils Philippsen / Red Hat / nphilipp@xxxxxxxxxx
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety." -- B. Franklin, 1759
PGP fingerprint: C4A8 9474 5C4C ADE3 2B8F 656D 47D8 9B65 6951 3011