Stephen Hahn wrote: > I am having difficulty formulating a use case where nested or multiply > signed packages are needed,
Imagine that IT Sets up a depot of their own, and fills it with a "mirror" of the official packages. Furthermore, because the upstream repo they are mirroring has lots of versions of things in it, they wish to add metadata to selected packages that says "Recommended by your local IT department". To do this, they would take a version of (say) the "Official" Mozilla package and add their own metadata to it. In this use case, adding metadata to a package does not necessarily invalidate its authenticity. -John
