Am 17.10.2014 um 10:55 schrieb Roberto Ragusa:
On 10/06/2014 07:25 PM, Reindl Harald wrote:the last discussions suggested that the result needs to be *identical* to the full RPM downloaded for not break signaturesBizarre design; the signature should protect the content (uncompressed), not the transport method (compressed)
no - it is a smart design besides the topicthe whole RPM package is signed and so you can verify the integrity without unpack it first - the history showed security flaws more than once just uncompress untrusted archives
https://www.google.at/search?q=attack+uncompress and it is a smart design in general:RPM don't need to know anything about deltarpms the way it is implemented just because RPM has not to deal with that and only faces the rebuilt package
signature.asc
Description: OpenPGP digital signature
-- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
