On Sat, 2005-07-16 at 13:18 -0400, Tom Diehl wrote: > On Sat, 16 Jul 2005, Florin Andrei wrote: > > > > The big repos are using GPG, but people who just happen to maintain a > > few RPMs very rarely do. > > Ok, but what is wrong with adding gpgcheck=0 to the repo you do not want > the checks to be done on? That repo is typically Fedora itself ;-) (that's the one that 'yum localinstall' is typically calling) and I do not want to grab Fedora packages from a mirror in the neck of the woods somewhere, and the packages be compromised. > OTOH, if you trust them enough to install the > packages in the first place, why not just sign the packages yourself. At > least then you are reasonably sure the package you think you are installing > is the one that gets installed. I did not know that it was possible to sign a package after it was built. I see now, I think it's the "Signing A Package" section in the rpm man page. Thanks. But anyway, it still a minor hassle from the user's p.o.v. I know many semi-educated people who can grasp the "concept" of doing 'yum localinstall' but who would balk at self-signing packages. Since yum is all about simplifying package management, I thought it would make sense to add a flag to skip the GPG defaults when the situation requires it. Anyway, it was just a thought... -- Florin Andrei http://florin.myip.org/
