[MeeGo-dev] Incompatibility is a benefit? (was: Re: RPM vs DEB, the FAQ item?)
corsac at debian.org
Wed Feb 17 01:06:17 CST 2010
On 17/02/2010 07:21, Kamen Bundev wrote:
> Another thing is that RPM allows for PGP signing, thus efficient control
> over any repositories and RPM sources.
Debian .changes files are GPG-signed before uploaded (and contains
hashes of included files). On the repository the Release is GPG-signed
too (and contains hashes of the Packages files, which itself contain all
the packages description and hashes.
.deb itselves aren't signed, but there's not much point (if you manage
to change a file on the repository, the hash won't match in the Packages
file, if you change the hash won't match in the Release file, if you
change it won't verify the GPG signature).
The *user* doesn't know what developer signed the upload, but there's
not much point in that case.
Wether the uploads are signed or not in the matter of architecture. In
Debian, they are, in Maemo they are not, what's used is an ssh key for
the transfer itself, which is associated to the user account on garage.
I prefer the gpg-sign of .changes files but that's a personal
preference. Anyway, back to the point, I don't really think it really
matters since both systems /do/ use GPG signing.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 900 bytes
Desc: OpenPGP digital signature
More information about the MeeGo-dev