Subject: Re: signed binary pkgs [was: Re: BPG call for use cases]
To: Todd Vierling <email@example.com>
From: Simon J. Gerraty <firstname.lastname@example.org>
Date: 07/30/2005 21:48:18
>> We should be using better hashes than MD5, these days. But yes, possibly
>> just signing the +CONTENTS file would do the trick.
>You'd need to sign the +INSTALL and +DEINSTALL scripts too, as they can
>generate files not tracked by +CONTENTS.
If +CONTENTS is signed (+CONTENTS.sig) and contains sha1 hashes for
+INSTALL etc, then they (+INSTALL etc) are effectively signed as well no?