rawhide signing and other such things

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I've been reading the thread of complaints about rawhide being unsigned.

The problem is, of course, a feasibility of getting the pkgs signed in a
semi-secure format.

What if we did the following:

we added functions to anything that reads repomd.xml to check for a gpg
signature in a detached file.

Then we could verify that the repomd.xml file is the original one.

That lets us know that the sha1 or md5 checksums in the repomd.xml file
pointing to the primary, filelists, other and groups metadata are valid.

if the metadata.xml files match the checksum from the signed and
verified repomd.xml then we know those files are valid.

Now Each package entry contains a package id in the metadata.

that id is either and md5sum or a sha1sum of the package file itself.

So now, if we download that file and the md5sum or sha1sum matches what
is in the metadata xml files then we know it is valid too.

This at least gets us to a point where we can reasonably trust the
packages from the repository based on a single signature for the
repomd.xml file.


What do y'all think? Would that be workable?

-sv



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux