RPM submission procedure
Eric S. Raymond
esr at thyrsus.com
Thu Jan 8 02:46:23 UTC 2004
Alan Cox <alan at redhat.com>:
> > (2) Don't RPMs have their own internal checksum?
>
> Checksums and digital signatures optionally. One very good reason for
> submitting an MD5sum in the request though is to make sure you didn't
> screw up the URL or get a stale file cached somewhere. It could be
> a completely valid genuine GPG signed wrong RPM otherwise. Having the
> extra verification just means the system knows it got the right package,
> nobody slipped up and no evil web accelerator or cache got in the way
> to ruin the party.
Got it. OK, this means my hypothetical client needs to be able to
push the URL and a verification checksum. I still think the Description
field ought to be extracted at the Fedora end from the SRPM itself.
--
<a href="http://www.catb.org/~esr/">Eric S. Raymond</a>
More information about the fedora-devel-list
mailing list