> On Fri, October 29, 2004 02:08 PM Jeff Spaleta wrote: > you can grab the signed metadata with the md5sums, check the sig on that. > and then do a md5sum check comparing the md5sum values in the metadata > and the package. You can do the md5sum check by hand. This isn't much > different than the situation with the isos. How do you verify you are > using the correct isos? you check the md5sums against an md5sum list. > How do you check the validity of the md5sum list? > You check the md5sum list signature. Amen!!!!!! Thank you for restating that again. I was hoping when you presented that before it would put all this to rest. Thats how digital signatures "work". I think that is really the BEST solution for this whole problem. > > You might argue it would be a good idea if there was a signed flat > md5sum list for all packages as well as the xml metadata, so the > md5sum command could use it. And then I'll tell you, you need to > accept the inevitable future of xml for all possible human > communication adopted by unanimous United Nations resolution, and you > should fix md5sum to parse xml structure files for md5sum sigs :-> Exactly! > Can rawhide packages be automatically signed... of course > Does autosigning help the intended, well informed, audience of the > rawhide packages... yes > Does autosigning hurt the unintended, un-informed or mis-informed > audience... i think it does. > > -jef > I and think the latter is a bigger and worse impact than the benefit of the former! Andrew