On March 23, 2004 3:21 pm, Paul Millar wrote:
-- store the MD5SUM key that you've computed into a sister file with the name winetest-<YYYYMMDDhhmm>.zip.cookie. It's URL will be: http://theserver/path/winetest-<YYYYMMDDhhmm>.zip.cookie
This is redundant with the (detached) signatures. But, just s/.cookie/.sig/ and it works the same.
I understand, but please provide the .cookie. Let's try to minimize changes at this point, OK?
C. You need to tell us _exactly_ what the 'http://theserver/path/' is going to be. We need to store that on the WineHQ end to protect against others doing nasty stuff with our distribution system. :)
By all means, but its redundant if the .ZIP file is signed.
Again, I understand, but let's keep this as well.
Sounds good. Having it signed is a good idea, and you can go ahead and implement it. It may take us a bit longer to actually check the signature, but that's a different matter.
Hmmm, probably about the same speed. AFAIK, gpg using md5sums internally (within signatures), so its the time taken to decrypt a md5sum in the signature, calculate the md5sum of the .ZIP file and compare the two.
I was talking about implmentation speed :) That is, it may take us a bit longer to actually check the sig, but we can go ahead without it.