On Fri, 2003-04-11 at 09:08, Troy Dawson wrote: > Hi, > Pardon my ignorance, since we didn't move to 8.0, and jumping from 9.0 to 7.3 > I'm still new to this signiture thing. well, gpg signatures have been available in rpm for a long while and gpgsigs could be checked in yum since about 0.8.X iirc. > > And would it really matter? > > > > When we first started installing RedHat 9.0, somehow we didn't have thier > public key, or one of their public keys. I don't know how it happened, but > about half of the packages we installed yelled at us. > Let's say that happens again, then none of our updates would work. > > Also, we don't currently use a key for the packages we make here (which is > quite a few), this would cause alot of undu concern if everytime someone > installed one of our packages, they were warned. Granted we could start doing > that, but then we would also have to remake all of the packages we have, as > well as convince all the other programers to put it in theirs. Why aren't you signing your packages? It lets you confirm, to some extent, that the package has not been tampered with and to know the source that the package came from, and therefore to determine if that source is trusted. I'm inclined to leave the gpg checking the way it is but enhance the options so that packagers who want to be more strict about what gets checked, will be able to. I dunno, still thinking. -sv
