> deltarpm would also need to be changed to strip away all header+payload
> digests/signatures from the signature header.
On that note... the grand plan is to drop header+payload digests/signatures
from rpm, except an legacy compatibility option. Adding a strong (and signed if
package is signed) digest for the payload alone was a pre-requisite for that,
and it's also the reason the verify code is written the way it is: for packages
built on rpm >= 4.14 you can already disable header+payload digests/signatures
without sacrificing security at all. And in this setting, whether the payload
is compressed or not is ultimately totally uninteresting.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/861#issuecomment-534917841
_______________________________________________
Rpm-maint mailing list
Rpm-maint@lists.rpm.org
http://lists.rpm.org/mailman/listinfo/rpm-maint
