On Thu, Apr 15, 2010 at 04:04:51PM +0200, Goswin von Brederlow wrote: > The checksum file could be attached as additional member in the > .deb. And a signature could be a signed file containing the checksum > size and name of all members of a .deb preceeding the signature. That > way the signature can verify the deb itself or individual members, like > the checksum file, in the .deb. Just a thought.
I'm not sure, how you mean that exactly. But the signature must be over the checksum file, nothing more and nothing less. Otherwise you won't be able to verify the checksum file. Also I think it's really a very bad idea in general to mix multiple different things into one signature. The one thing is a signature over installed files (via the checksum file). The other is a signature over a package. The two are completely orthogonal and serve different purposes. harry -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100416011001.gb25...@sbs288.lan
