James Harlow wrote: [Sat Nov 22 2003, 08:15:57AM EST] > I hope I've convinced people this is valuable.
I was convinced already, but it's really nice to see some first steps listed and some worst case scenarios covered. md5sums help to prevent problems due to corrupted downloads and/or corrupted mirrors. This can include corruption due to malicious tampering. However it doesn't provide the avenues of detection and containment provided by signatures. An additional benefit of signatures is that they can only be generated by a developer, whereas md5sums can be generated by whoever. Would it be possible to store the signatures in a file separate from the sources themselves, similar to the digests at the moment? Aron -- Aron Griffis Gentoo Linux Developer (alpha / ia64 / ruby / vim) Key fingerprint = E3B6 8734 C2D6 B5E5 AE76 FB3A 26B1 C5E3 2010 4EB0
pgp00000.pgp
Description: PGP signature
