Rawhide issues
seth vidal
skvidal at fedoraproject.org
Tue Apr 15 12:31:37 UTC 2008
On Tue, 2008-04-15 at 12:53 +0200, Till Maas wrote:
> On Tue April 15 2008, Richard Hughes wrote:
> > On Tue, 2008-04-15 at 00:14 -0400, Jesse Keating wrote:
> > > I've prevented rawhide from being composed again until we're done
> > > signing packages
> >
> > Can't we just sign all rawhide packages in the future? Installing
> > unsigned rawhide rpms from dubious looking mirrors makes me feel dirty
> > inside. :-)
>
> Afaik Sigul, an automated gpg signing system, needs to be finished / tested
> before this will happen:
> https://fedorahosted.org/sigul
>
How would people feel if we didn't sign pkgs at all? What if we made
repodata and only signed the repomd.xml? And we made the checksum for
the packages sha256 or sha512?
Then we'd have:
- signed repomd.xml
- verify primary metadata against signed repomd.xml
- verify package checksums against primary
How would people feel about that?
-sv
More information about the fedora-devel-list
mailing list