Should Fedora rpms be signed?

Satish Balay balay at fastmail.fm
Fri Nov 5 07:28:21 UTC 2004



On Fri, 5 Nov 2004, seth vidal wrote:

> This is just based on keys in your rpmdb.
> 
> The idea is this:
> 
> if you have 3 repos available to yum.
> 
> They are signed with 3 separate gpg keys. So you've imported all the
> keys into your rpmdb. The whole point of the feature I described before
> is so you can say:
> 
> the only packages I want from this repository are signed with _this_
> key. If you get a package from this repository that is signed with any
> other key, even if I have that key in my rpmdb, don't trust it.

Ok - here you are saying EACH package is signed. And this pacakge
signature is the one thats compared. 

The inferences I get from the above are:

- all packages from all repos should be signed (ideally)
- if an unsigned package is part of the dep-resolve list - then yum
  just aborts the transaction
- (Obviously - the main feature) if the 'key' doesn't match the one
  seecified for this repo in yum.conf - the transaction is aborted.

I do like this new feature. A couple of questions remain.

- Where does sigining 'metadata' fit in here?

- And this scheme would require rawhide pacakges also to be signed
  with some key. (or am I misreading this?)

thanks,
Satish





More information about the fedora-test-list mailing list