Regarding QA
Carlos Villegas
villegas at math.gatech.edu
Tue Feb 10 22:31:28 UTC 2004
On Fri, Feb 06, 2004 at 03:53:45AM -0500, Todd wrote:
>
> The gpg check is the one I prefer to use. The Fedora.us wiki's
> suggest gpg signed md5 hash files to go along with the uploaded
> packages and most of the packages submitted so far for FL have done
> this, though I have to wonder what the point is. If you check the gpg
> signature of the md5 file and then use the md5 file to check the
> packages, you might as well just use gpg to check the packages
> directly. (Hope that didn't leave you more confused than you were
> before.)
There is a good reason to use gpg signed md5's, and it is that as
it is clear, some people don't know gpg, but are capable of verifying
an md5 sum. So if you know gpg you can get the md5 and check the
gpg, if you don't you can at least compare the md5 (clearly not
very secure, but at least something).
Carlos
PS: Sorry I entered so late to this thread, I'm behind on mail
reading...
More information about the fedora-legacy-list
mailing list