On Thu, 11 Nov 2010 10:17:57 -0500, Andre Robatino wrote:
> James Antill wrote:
>
>> IMO, as has been said before, if you have a delta method that doesn't
>> produce the exact same bits at the end ... you've probably failed. It
>> might seem like a good idea, but even if you go to the extreme len
On Thu, 2010-11-11 at 10:17 -0500, Andre Robatino wrote:
> James Antill wrote:
>
> > IMO, as has been said before, if you have a delta method that doesn't
> > produce the exact same bits at the end ... you've probably failed. It
> > might seem like a good idea, but even if you go to the extreme le
On 11/11/2010 07:17 AM, Andre Robatino wrote:
> in an alternate universe where RPM was originally
> designed to sign the uncompressed data, and the higher-level tools were
> subsequently designed to work with that, is there any fundamental reason
> why things would be worse (or better) than they ar
On Thu, Nov 11, 2010 at 10:17:57AM -0500, Andre Robatino wrote:
> I realize there's a lot of stuff sitting on top of RPM that depends on
> how it works currently, but in terms of correctness, it still seems to
> me to make more sense to sign the uncompressed data, since that's what
> actually gets
James Antill wrote:
> IMO, as has been said before, if you have a delta method that doesn't
> produce the exact same bits at the end ... you've probably failed. It
> might seem like a good idea, but even if you go to the extreme lengths
> needed to make it just for yum ... things like reposync won
On Thu, Nov 11, 2010 at 09:29:54 -0500,
Andre Robatino wrote:
> Bruno Wolff III wrote:
>
> > Uncompressing hostile data is generally not a good thing to be doing.
> > From that aspect it makes more sense to sign the compressed payload.
>
> I was thinking that since the signature check usually
On Thu, 2010-11-11 at 10:41 +, Andre Robatino wrote:
> I came across the following old post, which I'm not responding to in-thread
> due
> to its age.
>
> https://www.redhat.com/archives/fedora-devel-list/2009-September/msg00517.html
>
> The question was raised why RPMs sign their compressed
Bruno Wolff III wrote:
> Uncompressing hostile data is generally not a good thing to be doing.
> From that aspect it makes more sense to sign the compressed payload.
I was thinking that since the signature check usually passes, the data
could be uncompressed into a cache, checked there, then copi
On Thu, Nov 11, 2010 at 10:41:13 +,
Andre Robatino wrote:
>
> The question was raised why RPMs sign their compressed data, rather than
> uncompressed. (One advantage would be to avoid deltarpm rebuild failures due
> to
> changes in compression such as the recent one in xz.) The answer had
I came across the following old post, which I'm not responding to in-thread due
to its age.
https://www.redhat.com/archives/fedora-devel-list/2009-September/msg00517.html
The question was raised why RPMs sign their compressed data, rather than
uncompressed. (One advantage would be to avoid deltar
10 matches
Mail list logo
