Rawhide issues
Chuck Anderson
cra at WPI.EDU
Tue Apr 15 12:47:02 UTC 2008
On Tue, Apr 15, 2008 at 08:31:37AM -0400, seth vidal wrote:
> How would people feel if we didn't sign pkgs at all? What if we made
> repodata and only signed the repomd.xml? And we made the checksum for
> the packages sha256 or sha512?
>
> Then we'd have:
> - signed repomd.xml
> - verify primary metadata against signed repomd.xml
> - verify package checksums against primary
>
> How would people feel about that?
That would be better than nothing for e.g. rawhide, but getting rid of
individual package signatures where they are already used I think
would be bad. It is useful to be able to check an individual,
isolated package. Also, you'd lose the verifiability of old packages
as soon as an updated on came out and the repodata was regenerated for
the newest packages.
More information about the fedora-devel-list
mailing list