John Burton said:
[snip]
As far as signing packages vs. signing meta-data... Digital signatures
are like real signatures, you want to make sure they are actually attached
to what you are signing.
[snip]
IIRC the discussion was that signed meta-data would have the signatures
attached to the MD5sums of the packages. The MD5sums of the download
could then be checked against the meta-data, verifying that the package is
the same as the package used to create the meta-data.
I didn't catch that particular detail earlier, but that would be fine.
Like I said, as long as changing the package invalidates the signature
then the purpose is serverd