-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Sunday 2006-12-17 at 18:45 -0600, Rajko M. wrote: ...
Some other neat features which are still unsupported are inclusion of PGP signatures and some other stuff.
That is what is necessary to verify source of files.
IMO, it would be suficient to sign the xml metalink file itself. As it contains the md5sum check of the image, that would enough to certify that what you downloaded was the correct signed file. Also, segment md5sums could be used to certify mirror sites: if a segment downloaded from a site doesn't check, and a retry fails again, that would mark that site as "bad" or bogus or whatever. An alternative is to sign the image, but that would be better done by the image provider/maker. Tricky problem! ;-) - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFFhrQTtTMYHG2NR9URAhvNAKCIr1TxlGYOHHnuTlNg1lyXp9oOfACfWfWQ wnHKqD2rk6UAxCd/Ny1YQ5U= =unP4 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-project+help@opensuse.org