> I would find it helpful if you could tell us what practical impact > this would have on user/admins. What happens if some packages aren't signed? > What would users/admins have to do to make sure the appropriate sigs > are present? Can this be anabled/disable per-repository (I could > probably read the docs for that one)? > > Basically, I suspect most of us understand the _security_ implications > of signed packages. I don't have a feel for the hassle factor, > though. well the idea would be that gpgcheck = 1 would be the default in the program defaults so if gpgcheck was unset it would default to on for each repository (currently it defaults to off) Then if a user turned it off then they'd get a warning message when that repository was accessed (processed in the config file more likely) keys are easy - just rpm --import publickey if you have an unsigned pkg in a repository where things are expected to be signed then an error occurs when you attempt to install that pkg. does that make sense? -sv
