In practice though, people shouldn't be using raw `rpm` to install RPMs.  They 
should (and 90% of the time are) using a higher level system like zypper, yum, 
or rpm-ostree.  

These systems all consume "rpm-md/yum" metadata, which obviously today has a 
checksum over the content, which can be verified without opening the RPM.

I know they're not the same - having a checksum just over the content as 
opposed to header+content should (AIUI) allow us to GPG sign without 
invalidating the content checksum (right?).

But it's surprising to me that we'd do something here without (apparently) 
considering how it interacts with rpm-md.


-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/163#issuecomment-283343716
_______________________________________________
Rpm-maint mailing list
Rpm-maint@lists.rpm.org
http://lists.rpm.org/mailman/listinfo/rpm-maint

Reply via email to