On Tue, 19 Dec 2006, Carlos E. R. wrote:
The "snag" is that checking both checksum and signature doubles checking time. I suppose that the user could select which one to use, same as rpm does, having both systems too, if I'm not mistaken.
A cryptographic signature should detect data corruption as well as a checksum -- after all it needs to detect willful tampering, not just technical corruption. So that should suffice, shouldn't it?
Definitely. To put this in context, we were talking about metalink which is an XML list of mirrors, checksums, and signatures for easier downloading/file distribution. metalinks can contain: partial file checksums for repairing a download full file checksums cryptographic signature The problem is that there are multiple clients on multiple operating systems. Almost all clients support MD5/SHA-1 full file checksums now. None of them support partial file checksums or signatures so far. I doubt the Windows and Mac clients will support PGP signatures, but maybe. It seems like the Linux clients will be more likely to have GPG and integrate it. So, a client that supports signatures could use the partial file checksums for errors in transfer, then just use the signature and skip the full file checksum. Ones that don't support signatures can use the partial and full file checksums. Support for metalink in KGet in KDE4 seems to be making progress. (( Anthony Bryan )) Metalink [ http://www.metalinker.org ] --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-project+help@opensuse.org