tech-pkg: Re: signed binary pkgs [was: Re: BPG call for use cases]

Subject: Re: signed binary pkgs [was: Re: BPG call for use cases]
To: Curt Sampson <cjs@cynic.net>
From: Todd Vierling <tv@duh.org>
List: tech-pkg
Date: 07/22/2005 09:25:48

On Fri, 22 Jul 2005, Curt Sampson wrote:

> We should be using better hashes than MD5, these days. But yes, possibly
> just signing the +CONTENTS file would do the trick.

You'd need to sign the +INSTALL and +DEINSTALL scripts too, as they can
generate files not tracked by +CONTENTS.

-- 
-- Todd Vierling <tv@duh.org> <tv@pobox.com> <todd@vierling.name>