RPM: signing uncompressed data instead of signed data?

Andre Robatino robatino at fedoraproject.org
Thu Nov 11 15:17:57 UTC 2010

James Antill wrote:

> IMO, as has been said before, if you have a delta method that doesn't
> produce the exact same bits at the end ... you've probably failed. It
> might seem like a good idea, but even if you go to the extreme lengths
> needed to make it just for yum ... things like reposync won't be able
> to use it, Eg.
>  http://james.fedorapeople.org/python/delta-rpm-dir.py

I realize there's a lot of stuff sitting on top of RPM that depends on
how it works currently, but in terms of correctness, it still seems to
me to make more sense to sign the uncompressed data, since that's what
actually gets used, and it would avoid issues like
https://fedorahosted.org/rel-eng/ticket/4224 which will have to be dealt
with periodically as long as compression continues to improve. So let me
rephrase the question: in an alternate universe where RPM was originally
designed to sign the uncompressed data, and the higher-level tools were
subsequently designed to work with that, is there any fundamental reason
why things would be worse (or better) than they are now?

(Again, sorry for not replying in-thread, but Gmane isn't updating.)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
Url : http://lists.fedoraproject.org/pipermail/devel/attachments/20101111/75fe199a/attachment.bin 

More information about the devel mailing list