1 Sep
2000
1 Sep
'00
02:20
Are you talking about MD5 sums in a list file on the FTP server? In that case this wouldn't make any sense: who is able to change the RPM packages, would be able to change the list file too...
I fully agree, but as far as I can tell, excepting security bulletins, that's where the MD5 checksums are going as it is -- when they're there at all. To minimize the risk of tampering, I suggested PGP-signing the checksum list; better, of course, as you and Kurt have pointed out, is also PGP-signing the packages.
And perhaps this could then be PGP signed?
Good point! I remember we had this topic here already, and IIRC suse is going to sign in the future. Or maybe SuSE 7.0 is already signed?
ciao Corvin -- Corvin Russell <corvinr@sympatico.ca>