[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Rawhide issues



On Tue, 2008-04-15 at 12:53 +0200, Till Maas wrote:
> On Tue April 15 2008, Richard Hughes wrote:
> > On Tue, 2008-04-15 at 00:14 -0400, Jesse Keating wrote:
> > > I've prevented rawhide from being composed again until we're done
> > > signing packages
> >
> > Can't we just sign all rawhide packages in the future? Installing
> > unsigned rawhide rpms from dubious looking mirrors makes me feel dirty
> > inside. :-)
> 
> Afaik Sigul, an automated gpg signing system, needs to be finished / tested 
> before this will happen:
> https://fedorahosted.org/sigul
> 


How would people feel if we didn't sign pkgs at all? What if we made
repodata and only signed the repomd.xml? And we made the checksum for
the packages sha256 or sha512?

Then we'd have:
 - signed repomd.xml
 - verify primary metadata against signed repomd.xml
 - verify package checksums against primary

How would people feel about that?

-sv



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]