How YOU (Yast Online Update) verifies package integrity before installation?
I have google'd around a few minutes but i have not found something that answer to the question: How YOU could 'know' that the packages download-ed from an update server/mirror are the 'real' ones?
Let's say we have an update available for package Xyz on some server.
So, before doing an update, it could retrieve from a suse server ( i.e. a server _administrated_ by SUSE ) a simple LIST in the form ( XYZ <--> md5) and, after comparing the md5 ( performed by the YOU ) with the one from the LIST, we could relatively know it's 'ok'..
Does someone has an idea of how it works?