| 1 |
James Harlow wrote: [Sat Nov 22 2003, 08:15:57AM EST] |
| 2 |
> I hope I've convinced people this is valuable. |
| 3 |
|
| 4 |
I was convinced already, but it's really nice to see some first steps |
| 5 |
listed and some worst case scenarios covered. |
| 6 |
|
| 7 |
md5sums help to prevent problems due to corrupted downloads and/or |
| 8 |
corrupted mirrors. This can include corruption due to malicious |
| 9 |
tampering. However it doesn't provide the avenues of detection and |
| 10 |
containment provided by signatures. An additional benefit of signatures |
| 11 |
is that they can only be generated by a developer, whereas md5sums can |
| 12 |
be generated by whoever. |
| 13 |
|
| 14 |
Would it be possible to store the signatures in a file separate from the |
| 15 |
sources themselves, similar to the digests at the moment? |
| 16 |
|
| 17 |
Aron |
| 18 |
|
| 19 |
-- |
| 20 |
Aron Griffis |
| 21 |
Gentoo Linux Developer (alpha / ia64 / ruby / vim) |
| 22 |
Key fingerprint = E3B6 8734 C2D6 B5E5 AE76 FB3A 26B1 C5E3 2010 4EB0 |
Archives