On 2014-09-21 21:13, Richard van den Berg wrote: > Package formats like apk and jar avoid this chicken and egg problem by > hashing the files inside a package, and storing those hashes in a manifest > file.
Is there a "chicken and egg problem"? Only if one insists on embedding the signatures in one file, I would say. > Signatures only sign the manifest file. The manifest itself and the signature > files are not part of the manifest, but are part of the package. So a package > including it's signature(s) is still a single file. This is nice, indeed, but: The Debian repository is mirrored all over the world and distributed on DVSs/CDs. If package files change whenever a signature is added, this would lead to needless traffic and obliterate readonly media. (Well, rsync would mitigate the mirror problem by only transmitting the signature parts of a file, right?) -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140921205441.GA29763@fama
