On 01/31/2010 09:18 PM, Nilesh Govindarajan wrote:
> On 01/31/2010 08:31 PM, Ananda Samaddar wrote:
>> [snip]
> Key signing is not required for us I think. Because Arch people are
> the first to release package updates. It is tested properly and is
> given in .tar.gz archives. Even if a byte is altered in the archive
> then its md5sum would change so pacman will complain.
Close, but what about the package list? The proposals I've seen have
mostly been to just sign the package list, since the md5 takes care of
everything else.

Reply via email to