Idle chit-chat on #rpm irc led me to realize that lots and lots
of bandwidth is being wasted when *.rpm packages are signed.

The fundamental conceptual issue is that

     Does signing *.rpm plaintext constitute a change in content?

If your criteria for "change" is looking at, say, a digest of a *.rpm  
file,
the answer is always YES! content has changed.

However, if you look at any old plaintext, creating a detached signature
changes nothing whatsoever in the plaintext. So, with exactly the same
criteria for "change", looking at a digest of the plaintext, the  
answer is most
definitely NO!

The confusion comes because a *.rpm file carries __BOTH__ the detached
signature and the plaintext in the same file.

But there's literally no reason why detached signatures cannot be  
transported __WITHOUT
DOWNLOADING__  the plaintext Yet Again, and, if the signature  
verifies, well, the signature
can be appended to headers saved in an rpmdb __WITHOUT REINSTALLING__.

todo++

73 de Jeff