Re: YUM security issues...

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 2008-07-28 at 14:25 -0400, Jesse Keating wrote:
> On Mon, 2008-07-28 at 12:07 -0500, Matt Domsch wrote:
> > 1. repomd.xml needs to be signed. Either attached or detached sig
> >    (advice sought).  If attached, format would be
> 
> I would prefer a detached sig, so that the checksum of repomd.xml itself
> doesn't change if the GPG sig for it does.  This is important as there
> are control files in the compose to track consistency of the tree
> itself, and having the repomd.xml change it's key would invalidate this
> control file.
> 

detached sig definitely. Independent of how (or why) this is done we
will maintain backward compat. Signing the repomd.xml directly will not
allow backward compat (nor cross compat with apt/smart/etc).

I've already written the code for the detached sig - it'll be checked
into yum upstream this afternoon.

-sv


_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list

[Index of Archives]     [Fedora Development]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]

  Powered by Linux