No more deltarpms by default
Reindl Harald
h.reindl at thelounge.net
Fri Oct 17 09:17:47 UTC 2014
Am 17.10.2014 um 10:55 schrieb Roberto Ragusa:
> On 10/06/2014 07:25 PM, Reindl Harald wrote:
>
>> the last discussions suggested that the result needs to be *identical* to the full RPM downloaded for not break signatures
>
> Bizarre design; the signature should protect the content (uncompressed), not
> the transport method (compressed)
no - it is a smart design besides the topic
the whole RPM package is signed and so you can verify the integrity
without unpack it first - the history showed security flaws more than
once just uncompress untrusted archives
https://www.google.at/search?q=attack+uncompress
and it is a smart design in general:
RPM don't need to know anything about deltarpms the way it is
implemented just because RPM has not to deal with that and only faces
the rebuilt package
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20141017/c408c230/attachment.sig>
More information about the devel
mailing list