On Sat, Mar 25, 2000 at 11:03:11PM +0100, Robert Bihlmeyer wrote: > Chris Frey <[EMAIL PROTECTED]> writes: > > So my question is, what are your thoughts on adding a signature to the > > current Packages.gz file, or adding a similar *dsc file for it, > > which is then signed? > Do you want to sign each package entry, or the whole file? Whose > signature would be used?
The whole file --- verifying each entry would take at least three minutes on my hardware, and god knows how long on anything moderately old or outdated. I certainly wouldn't want to try it on m68k on a regular basis, eg. (If doing something just once takes a second; doing it 4000 times takes a bit over an hour) Whose key should be used? Probably a special one just for dinstall, that's kept fairly securely by the Novare and -admin folks, and revoked regularly. There doesn't really seem a huge amount of choice here, to me. Cheers, aj -- Anthony Towns <[EMAIL PROTECTED]> <http://azure.humbug.org.au/~aj/> I don't speak for anyone save myself. GPG encrypted mail preferred. ``The thing is: trying to be too generic is EVIL. It's stupid, it results in slower code, and it results in more bugs.'' -- Linus Torvalds
pgplbf3OFr3O5.pgp
Description: PGP signature
