Rawhide issues

Chuck Anderson cra at WPI.EDU
Tue Apr 15 12:47:02 UTC 2008


On Tue, Apr 15, 2008 at 08:31:37AM -0400, seth vidal wrote:
> How would people feel if we didn't sign pkgs at all? What if we made
> repodata and only signed the repomd.xml? And we made the checksum for
> the packages sha256 or sha512?
> 
> Then we'd have:
>  - signed repomd.xml
>  - verify primary metadata against signed repomd.xml
>  - verify package checksums against primary
> 
> How would people feel about that?

That would be better than nothing for e.g. rawhide, but getting rid of 
individual package signatures where they are already used I think 
would be bad.  It is useful to be able to check an individual, 
isolated package.  Also, you'd lose the verifiability of old packages 
as soon as an updated on came out and the repodata was regenerated for 
the newest packages.




More information about the fedora-devel-list mailing list