Okay, but that'd also be caught by MD5, right? So...do we expect every package
system to verify *both* the rpm-md checksum and this one? Running SHA256 or
whatever *is* pretty cheap, I know.
Perhaps enough people rely on "untrusted rpm-md fetched over http + GPG signed
RPMs" that we have to fix this. But I think greater security comes from
pushing everyone to do [cert pinned
rpm-md](https://pagure.io/fedora-infrastructure/issue/5372).
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/163#issuecomment-283363152
_______________________________________________
Rpm-maint mailing list
Rpm-maint@lists.rpm.org
http://lists.rpm.org/mailman/listinfo/rpm-maint
