On 9050 day of my life Bruce Stephens wrote: > Anyway, hashes in Arch are about detecting unexpected modifications > due to random breakage. If you really care about patches you'd sign > them, wouldn't you?
When you sign a patch, you just sign ./checksum file. But this file
is list of filenames and md5sums:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Signature-for: [EMAIL PROTECTED]/bla--main--0.1--patch-2
md5 log 3789ad2ea92692b300d67c26fc400fce
md5 bla--main--0.1--patch-2.patches.tar.gz 0d560b2d653d6602321a3be52615b01b
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
IEUEARECAAYFAKICKX8ACGKQ4RMSJ66VBHFYUGCWIWCYMIAJWHTKGVW61MKQCS+N
=82/m
-----END PGP SIGNATURE-----
So, patches are not signed directly. And MD5 is weakest ring in a
chain.
--
Ivan Boldyrev
Today is the first day of the rest of your life.
pgpjhIy3ZLXM1.pgp
Description: PGP signature
_______________________________________________ Gnu-arch-users mailing list [email protected] http://lists.gnu.org/mailman/listinfo/gnu-arch-users GNU arch home page: http://savannah.gnu.org/projects/gnu-arch/
