Idle chit-chat on #rpm irc led me to realize that lots and lots
of bandwidth is being wasted when *.rpm packages are signed.
The fundamental conceptual issue is that
Does signing *.rpm plaintext constitute a change in content?
If your criteria for "change" is looking at, say, a digest of a *.rpm
the answer is always YES! content has changed.
However, if you look at any old plaintext, creating a detached signature
changes nothing whatsoever in the plaintext. So, with exactly the same
criteria for "change", looking at a digest of the plaintext, the
answer is most
The confusion comes because a *.rpm file carries __BOTH__ the detached
signature and the plaintext in the same file.
But there's literally no reason why detached signatures cannot be
DOWNLOADING__ the plaintext Yet Again, and, if the signature
verifies, well, the signature
can be appended to headers saved in an rpmdb __WITHOUT REINSTALLING__.
73 de Jeff
Received on Sun Sep 28 19:52:33 2008