[Rpm-metadata] Re: Rpm-metadata Digest, Vol 16, Issue 5
Peter Jones
pjones at redhat.com
Tue Feb 22 02:12:41 UTC 2005
On Mon, 2005-02-21 at 14:26 -0600, Randy Zagar wrote:
> Plus, I'm not sure what the rationale for opposing an SHA-1 field in the
> xml file is based on...
The XML metadata doesn't *need* all of the validation data the package
has. If you want any security, you have to check the actual package
anyway. Sure, if the checksum and size and NEVRA in the metadata don't
match the package you get, you don't use the package. But even after
that, you're still going to want to check the GPG sigs anyway. That'd
be true even if you didn't have the MD5 sum or anything else about it.
It's important to remember that the repo data is just a cache; it's not
the real data. Update tools still have to check the package itself for
validity, and they still check that the rpm transaction has deps
satisfied, etc.
> Why aren't ALL rpm metadata fields being supported in xml? Wouldn't
> it be simpler to just say "we support all metadata fields supported
> by RPM"? That way there is no need to "discuss" whether or not
> something gets included in the DTD.
Sure, it'd be simpler. But it'd also result in a very large metadata
file, most of which isn't at *all* helpful towards the file's intended
use.
--
Peter
More information about the Rpm-metadata
mailing list