<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
<title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
William Hooper wrote:
<blockquote cite="mid1409.12.29.16.103.1099055899.squirrel@whooper.org"
type="cite">
<pre wrap="">John Burton said:
[snip]
</pre>
<blockquote type="cite">
<pre wrap="">As far as signing packages vs. signing meta-data... Digital signatures
are like real signatures, you want to make sure they are actually attached
to what you are signing.
</pre>
</blockquote>
<pre wrap=""><!---->[snip]
IIRC the discussion was that signed meta-data would have the signatures
attached to the MD5sums of the packages. The MD5sums of the download
could then be checked against the meta-data, verifying that the package is
the same as the package used to create the meta-data.
</pre>
</blockquote>
I didn't catch that particular detail earlier, but that would be fine.
Like I said, as long as changing the package invalidates the signature
then the purpose is serverd<br>
<br>
John<br>
</body>
</html>