I'm looking for advise on best practices for setting up a repository with respect to package signing. Clearly, rpms should be signed by a key available from the repository site. I plan to set up our web server so that the key is available only via https, which makes it more difficult to spoof the server. We plan to use a key that is maintained by the project itself - not any individual persons key. My question has to do with other measures to ensure the trust of that key - do repository &| package maintainers generally sign the package- signing keys with other keys to get it related to other trust networks? -- Scott Lawrence Consulting Engineer Pingtel Corp. http://www.pingtel.com/ +1.781.938.5306 x162
