Libdvdcss
Michael Schwendt
mschwendt at gmail.com
Tue May 4 08:59:01 UTC 2010
On Mon, 3 May 2010 20:41:16 -0400, Darr wrote:
> On Mon 03 May 2010 @ 13:29:35 zulu, Michael Schwendt scribed:
>
> > You two are talking past eachother. There is a problem with the "debug"
> > repo metadata:
> > http://lists.rpmfusion.org/pipermail/rpmfusion-users/2010-February/000610.html
>
>
> Yeah... but as I said in that message back in February, there's no
> real way to tell if the file is "good" and the hash in the XML file is
> incorrect, or if the checksum in the file is correct and the file bad.
"No real way" or "no way"? The package passes RPM verification at least,
so obviously it isn't damaged badly:
$ rpm -Kv libdvdcss-debuginfo-1.2.10-1.i386.rpm
libdvdcss-debuginfo-1.2.10-1.i386.rpm:
Header V4 DSA/SHA1 Signature, key ID a109b1ec: OK
Header SHA1 digest: OK (4e08f7e57efee9566161d1877fd08d8ea18ac243)
MD5 digest: OK (d772761658ec7217f02475c9d758888c)
V4 DSA/SHA1 Signature, key ID a109b1ec: OK
And those checksums are independent from the GPG signature (here done
with key ID a109b1ec). That means, you can sign the package with a different
key and still get the same internal RPM checksums. Only the file's checksum
will differ, and that's the one that enters the repodata.
More information about the users
mailing list