On Tue, 26 Oct 2004, seth vidal wrote: > I've been reading the thread of complaints about rawhide being unsigned. > > The problem is, of course, a feasibility of getting the pkgs signed in a > semi-secure format. > > What if we did the following: > > we added functions to anything that reads repomd.xml to check for a gpg > signature in a detached file. > > Then we could verify that the repomd.xml file is the original one. > > That lets us know that the sha1 or md5 checksums in the repomd.xml file > pointing to the primary, filelists, other and groups metadata are valid. > > if the metadata.xml files match the checksum from the signed and > verified repomd.xml then we know those files are valid. > > Now Each package entry contains a package id in the metadata. > > that id is either and md5sum or a sha1sum of the package file itself. > > So now, if we download that file and the md5sum or sha1sum matches what > is in the metadata xml files then we know it is valid too. > > This at least gets us to a point where we can reasonably trust the > packages from the repository based on a single signature for the > repomd.xml file. > > > What do y'all think? Would that be workable? That's basically how apt's "authenticated repositories" work. - Panu -
