1 |
James Harlow wrote: [Sat Nov 22 2003, 08:15:57AM EST] |
2 |
> I hope I've convinced people this is valuable. |
3 |
|
4 |
I was convinced already, but it's really nice to see some first steps |
5 |
listed and some worst case scenarios covered. |
6 |
|
7 |
md5sums help to prevent problems due to corrupted downloads and/or |
8 |
corrupted mirrors. This can include corruption due to malicious |
9 |
tampering. However it doesn't provide the avenues of detection and |
10 |
containment provided by signatures. An additional benefit of signatures |
11 |
is that they can only be generated by a developer, whereas md5sums can |
12 |
be generated by whoever. |
13 |
|
14 |
Would it be possible to store the signatures in a file separate from the |
15 |
sources themselves, similar to the digests at the moment? |
16 |
|
17 |
Aron |
18 |
|
19 |
-- |
20 |
Aron Griffis |
21 |
Gentoo Linux Developer (alpha / ia64 / ruby / vim) |
22 |
Key fingerprint = E3B6 8734 C2D6 B5E5 AE76 FB3A 26B1 C5E3 2010 4EB0 |