I've been reading the thread of complaints about rawhide being unsigned. The problem is, of course, a feasibility of getting the pkgs signed in a semi-secure format. What if we did the following: we added functions to anything that reads repomd.xml to check for a gpg signature in a detached file. Then we could verify that the repomd.xml file is the original one. That lets us know that the sha1 or md5 checksums in the repomd.xml file pointing to the primary, filelists, other and groups metadata are valid. if the metadata.xml files match the checksum from the signed and verified repomd.xml then we know those files are valid. Now Each package entry contains a package id in the metadata. that id is either and md5sum or a sha1sum of the package file itself. So now, if we download that file and the md5sum or sha1sum matches what is in the metadata xml files then we know it is valid too. This at least gets us to a point where we can reasonably trust the packages from the repository based on a single signature for the repomd.xml file. What do y'all think? Would that be workable? -sv