* Garrett D'Amore <gdamore at sun.com> [2008-07-31 03:41]: > I also would prefer to see a model where nested signing or multiple > signing is possible.
So, as I pointed out during the discussion, changing a package's tags or its contents would be interpreted by most package publishers as "not my package anymore", and I would expect them to not be interested in seeing their signature propagate on after their package has been manipulated. I suppose I based that assumption on the fact that the signing support on SysV is single certificate, and was added relatively recently (S10, maybe an S9 update as well)--meaning that the requirements are still reasonably up-to-date. I am having difficulty formulating a use case where nested or multiply signed packages are needed, and in which the consumer makes different decisions when distinct subsets of the signing entities cannot be independently verified. Maybe someone has an example? - Stephen -- sch at sun.com http://blogs.sun.com/sch/
