On Tuesday 15 June 2010 19:37:00 Pierre Schmitz wrote: > On Tue, 15 Jun 2010 19:23:14 +0300, Aleksis Jauntēvs > > <aleksis.jauntevs@xxxxxxxxx> wrote: > > I dont think that repo.db should be signed and it is enough to sign only > > the > > packages. As I understand so far the only reason to sign repo.db file is > > to > > prevent "replay" situations in repos. > > It's the other way round: signing the DB is important while signing single > packages is not (but should still be done for some reasons). > > If the DB is not signed I could simply add additional packages or replace > packages. Yes, but if we compare the repo.db's with other mirrors then we could tell that this has happened. -- Aleksis Jauntēvs
