Should Fedora rpms be signed?
seth vidal
skvidal at phy.duke.edu
Tue Oct 26 21:19:01 UTC 2004
> Just don't let yum install packages that aren't signed. How about you
> start a rawhide mirror with the following properties: if a package is
> not signed, it won't be in your mirror; you'll keep the previous
> version of such package instead.
Then it would not be a rawhide mirror. It would be a rawhide distortion.
mirror implies an identical reflection. :)
> An alternative is to script a yum wrapper that, when encountering an
> unsigned package, automatically excludes that and retries, until you
> get only signed packages installed. Heck, wouldn't it be way so cool
> if yum could do it all by itself?
You could download the header from the package and look beyond it to see
if there are any non-md5/sha1 signatures and if any of those are gpg
signatures. However, you won't be able to know if it passes the sig
check w/o downloading the whole package. And boy would that suck for the
user.
> It's unlikely that signed packages will have dependencies on unsigned
> packages, because of the way signing is done, so odds are that, given
> daily rawhide pushes, you'd be able to move forward quite regularly.
except that testing would crawl to a halt on the unsigned packages.
> > If yum could provide a lesser degree of verification, by verifying
> > checksums instead of signatures, this wouldn't be a bad thing?
>
> Err... Doesn't it? up2date does, and so does rpm.
yum checks the package checksum and the file checksum, yes.
-sv
More information about the fedora-test-list
mailing list