On Wed, Mar 10, 2010 at 11:22:00PM +0100, Frank Lin PIAT wrote:
> I made some tests, and it seems that we could allow,but not require, GPG
> signed checksum-file. sha256sum will ignore invalid lines by default
> (unless you specify --warn option).
>
> Similarly, the policy could state that GPG clear-signed shasum files are
> allowed. Tools using shasum should still strip the signature, especially
> when using the checksum for security purpose.
Is there any good reason not to use a detached signature in a
separate file instead? I know that doubles the number of files, but
it also reduces the raw size by around 47 bytes and simplifies
parsing of the checksum files themselves.
--
{ IRL(Jeremy_Stanley); PGP(9E8DFF2E4F5995F8FEADDC5829ABF7441FB84657);
SMTP(fu...@yuggoth.org); IRC(fu...@irc.yuggoth.org#ccl); ICQ(114362511);
AIM(dreadazathoth); YAHOO(crawlingchaoslabs); FINGER(fu...@yuggoth.org);
MUD(fu...@katarsis.mudpy.org:6669); WWW(http://fungi.yuggoth.org/); }
--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20100311003709.gi1...@yuggoth.org
