On 3 Oct 2001, Charles M. Hannum wrote:
> > I wonder if it was possible to make the signature part of the +-files, and
> > if present do the sigature checking?  Just like what we do for +MESSAGE
> > files etc.
> 
> That would require some Magick, since the tar file itself would change,
> and you have to be careful about exactly *what* you're checking the
> signature of.  I suppose it might be amusing to always have it be the
> first file -- i.e. be prefixed to the existing tar file -- and checksum
> the decompressed image instead.

Indeed. An alternative would be to checksum each single file, as we do
right now using MD5 hashes. I don't know PGP enough to tell if that's
possible, or good in general. (Someone might still add a bad binary at the
end, unsigned. Then again we could require IF signing is on, it'd be on
for ALL files). Just some random thoughts...


 - Hubert

-- 
Want to get a clue on IPv6 but don't know where to start? Try this:
* Basics -> http://www.onlamp.com/pub/a/onlamp/2001/05/24/ipv6_tutorial.html
* Setup  -> http://www.onlamp.com/pub/a/onlamp/2001/06/01/ipv6_tutorial.html 
Of course with your #1 IPv6 ready operating system -> http://www.NetBSD.org/