On Thu, Nov 11, 2010 at 10:41:13 +0000,
Andre Robatino <robatino(a)fedoraproject.org> wrote:
The question was raised why RPMs sign their compressed data, rather than
uncompressed. (One advantage would be to avoid deltarpm rebuild failures due to
changes in compression such as the recent one in xz.) The answer had to do with
the fact that higher-level tools (createrepo and yum) depend on the current
behavior, but that doesn't address whether it's just an early design mistake
that we're locked into now, or if there's actually some overall advantage to
doing things this way (that outweighs the obvious disadvantage of inflexibility
in how the data is compressed). Can anyone shed some light on this?
Uncompressing hostile data is generally not a good thing to be doing. From
that aspect it makes more sense to sign the compressed payload.