Suggestion: bmap files and bmaptool
Artem Bityutskiy
dedekind1 at gmail.com
Wed Aug 14 10:39:29 UTC 2013
On Wed, 2013-08-14 at 12:24 +0200, Björn Persson wrote:
> Speaking of security, how is the integrity of the bmap file itself
> verified?
This is not implemented, unfortunately. This is another thing which I
probably would need to do, and this is a very good point.
I will look at this, after I do the SHA256 thing.
> A checksum is of no use if you don't know who generated the
> checksum. Fedora's checksum files are OpenPGP signed, as you can see
> in
> the one that Till linked to.
Right, bmap file could also contain such a signature.
> I don't see a cryptographic signature in
> your example file. Are there detached signatures for the bmap files?
Well, of course detached signatures can be generated.
> And does Bmaptool verify the signatures?
But no, bmaptool does not verify them. And again, if there is real
interest from Fedora community, I will try to implement this faster (or
accept someone's contribution :-))
Thanks for the feed-back!
--
Best Regards,
Artem Bityutskiy
More information about the devel
mailing list