Hi!

How can I make these people understand that changing the distribution
file without changing the version number is a bad thing to do from the
package maintainer's point of view...

Martti



-------- Original Message --------
Subject: Re: gtk-xfce-engine MD5 sum problem
Date: Mon, 07 Nov 2005 07:41:49 +0100
From: Olivier Fourdan <fourdan@xfce.org>
Reply-To: XFCE4 development list <xfce4-dev@xfce.org>
Organization: http://www.xfce.org
To: XFCE4 development list <xfce4-dev@xfce.org>
References: <20051107063641.182935ce.linuce@gmail.com>

On Mon, 2005-11-07 at 06:36 +0100, LiNuCe wrote:
>    It seems there is something wrong as both archives should have the
> same MD5 sum. As we are talking about integrity, why not signing the
> *.md5 file for the whole XFCE archives with GPG to also ensure
> authenticity ?


The versions are identical, but packages are rebuilt for each release,
which means that the md5sum might be different (the tar containts dates
that might change due to the generated files)

The MD5 sum is mainly to verify that the downloaded files are complete,
as there is no digital signature, it should not be considered at a
security proof.

Cheers,
Olivier.