RPM: signing uncompressed data instead of signed data?

Michel Alexandre Salim salimma at fedoraproject.org
Sun Nov 14 13:37:55 UTC 2010

On Thu, 11 Nov 2010 10:17:57 -0500, Andre Robatino wrote:

> James Antill wrote:
>> IMO, as has been said before, if you have a delta method that doesn't
>> produce the exact same bits at the end ... you've probably failed. It
>> might seem like a good idea, but even if you go to the extreme lengths
>> needed to make it just for yum ... things like reposync won't be able
>> to use it, Eg.
>>  http://james.fedorapeople.org/python/delta-rpm-dir.py
> I realize there's a lot of stuff sitting on top of RPM that depends on
> how it works currently, but in terms of correctness, it still seems to
> me to make more sense to sign the uncompressed data, since that's what
> actually gets used, and it would avoid issues like
> https://fedorahosted.org/rel-eng/ticket/4224 which will have to be dealt
> with periodically as long as compression continues to improve.

This is what 0install uses:

Michel Alexandre Salim
Fedora Project Contributor: http://fedoraproject.org/

Email:  salimma at fedoraproject.org  | GPG key ID: 78884778
Jabber: hircus at jabber.ccc.de       | IRC: hircus at irc.freenode.net

()  ascii ribbon campaign - against html e-mail
/\  www.asciiribbon.org   - against proprietary attachments

More information about the devel mailing list