John Burton said:
[snip]
As far as signing packages vs. signing meta-data... Digital
signatures
are like real signatures, you want to make sure they are actually attached
to what you are signing.
[snip]
IIRC the discussion was that signed meta-data would have the signatures
attached to the MD5sums of the packages. The MD5sums of the download
could then be checked against the meta-data, verifying that the package is
the same as the package used to create the meta-data.
--
William Hooper