On Tue, Jul 17, 2012 at 12:43 PM, Robert Schiele
While this is basically true MD5 is used in OBS all over the place and thus for consistency and code reuse reasons it might still make sense to go with that. It should also be noted that the intent of the MD5 sum in Marcus' proposal is not to add a layer of security for malicious attacks (that you better prevent by verifying RPM signatures and SSL certificates for the connection (when using https)) but to use it as a simple checksum mechanism to detect technical transmission issues.
Anyway... isn't the bulk of the complexity of checking signatures the computation of the hash value? (reading the whole package and computing the hash implies processing massive amounts of data). I don't see why verifying the package's signature would be so much worse. -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org