On Mon, Sep 03, 2001 at 06:13:37PM +0200, Niklas Hoglund wrote: > Have I misunderstood that a signature is a kind of checksum. What purpose > does adding a checksum to a checksum have? If the signature is invalid the > .deb should not be trusted, but thrown away and redownloaded.
Because a cracker can tamper a checksum, but it can't tamper a Signature. (Unless she has compromised ftp-master). Greetings Bernd