[Rpm-maint] [rpm-software-management/rpm] RFE: add a digest on the compressed payload content (#163)
Colin Walters
notifications at github.com
Wed Mar 1 14:59:48 UTC 2017
Okay, but that'd also be caught by MD5, right? So...do we expect every package system to verify *both* the rpm-md checksum and this one? Running SHA256 or whatever *is* pretty cheap, I know.
Perhaps enough people rely on "untrusted rpm-md fetched over http + GPG signed RPMs" that we have to fix this. But I think greater security comes from pushing everyone to do [cert pinned rpm-md](https://pagure.io/fedora-infrastructure/issue/5372).
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/163#issuecomment-283363152
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20170301/e4855f23/attachment.html>
More information about the Rpm-maint
mailing list