James Harlow wrote:	[Sat Nov 22 2003, 08:15:57AM EST]
> I hope I've convinced people this is valuable.

I was convinced already, but it's really nice to see some first steps
listed and some worst case scenarios covered.

md5sums help to prevent problems due to corrupted downloads and/or
corrupted mirrors.  This can include corruption due to malicious
tampering.  However it doesn't provide the avenues of detection and
containment provided by signatures.  An additional benefit of signatures
is that they can only be generated by a developer, whereas md5sums can
be generated by whoever.

Would it be possible to store the signatures in a file separate from the
sources themselves, similar to the digests at the moment?

Aron

-- 
Aron Griffis
Gentoo Linux Developer (alpha / ia64 / ruby / vim)
Key fingerprint = E3B6 8734 C2D6 B5E5 AE76  FB3A 26B1 C5E3 2010 4EB0