Hmm. Any old rpm version, not to mention all the 3rd party signing servers out
there, can merrily add v3 signatures to a v6 package. It doesn't *break* the
package, technically, so erroring out seems like a pretty drastic thing to do.
But then it does break our assumptions about 999 being the last tag in
signature.
At the very least we should just ignore any tags over 999 in v6 signature
headers, and certainly not merge them on package read. And I guess, explicitly
delete any tags over 999 from v6 packages during signing, because that's where
we care about it more.
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/1570#issuecomment-2488371072
You are receiving this because you are subscribed to this thread.
Message ID: <rpm-software-management/rpm/issues/1570/2488371...@github.com>
_______________________________________________
Rpm-maint mailing list
Rpm-maint@lists.rpm.org
https://lists.rpm.org/mailman/listinfo/rpm-maint
