On Mon, 2008-07-28 at 14:25 -0400, Jesse Keating wrote: > On Mon, 2008-07-28 at 12:07 -0500, Matt Domsch wrote: > > 1. repomd.xml needs to be signed. Either attached or detached sig > > (advice sought). If attached, format would be > > I would prefer a detached sig, so that the checksum of repomd.xml itself > doesn't change if the GPG sig for it does. This is important as there > are control files in the compose to track consistency of the tree > itself, and having the repomd.xml change it's key would invalidate this > control file. > detached sig definitely. Independent of how (or why) this is done we will maintain backward compat. Signing the repomd.xml directly will not allow backward compat (nor cross compat with apt/smart/etc). I've already written the code for the detached sig - it'll be checked into yum upstream this afternoon. -sv _______________________________________________ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list