Mailinglist Archive: opensuse-project (198 mails)

< Previous Next >
Re: [opensuse-project] Site going down at release - solution
  • From: "Carlos E. R." <robin.listas@xxxxxxxxxxxxxx>
  • Date: Mon, 18 Dec 2006 16:30:25 +0100 (CET)
  • Message-id: <Pine.LNX.4.64.0612181624150.901@xxxxxxxxxxxxxxxx>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


The Sunday 2006-12-17 at 18:45 -0600, Rajko M. wrote:

...

> > Some other neat features which are still unsupported are inclusion of PGP
> > signatures and some other stuff.
>
> That is what is necessary to verify source of files.

IMO, it would be suficient to sign the xml metalink file itself. As it
contains the md5sum check of the image, that would enough to certify that
what you downloaded was the correct signed file.

Also, segment md5sums could be used to certify mirror sites: if a
segment downloaded from a site doesn't check, and a retry fails again,
that would mark that site as "bad" or bogus or whatever.


An alternative is to sign the image, but that would be better done by the
image provider/maker.

Tricky problem! ;-)

- --
Cheers,
Carlos E. R.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Made with pgp4pine 1.76

iD8DBQFFhrQTtTMYHG2NR9URAhvNAKCIr1TxlGYOHHnuTlNg1lyXp9oOfACfWfWQ
wnHKqD2rk6UAxCd/Ny1YQ5U=
=unP4
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-project+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-project+help@xxxxxxxxxxxx

< Previous Next >
Follow Ups