On 08/23/2017 01:17 AM, Tomas Tomecek wrote: > > > On Sun, Aug 20, 2017 at 10:59 PM, Kevin Fenzi <kevin@xxxxxxxxx > <mailto:kevin@xxxxxxxxx>> wrote: > > > First, one thing that would be very handy (but could perhaps just be a > dnf plugin) is to install from koji, but use signed packages (if > available). I'm not sure how hard it would be to implement in your tool, > but you might take a look if you are interested. > > > What would be the place to pick the signed packages from? If there is a written out signed rpm you can find it at (for example): https://kojipkgs.fedoraproject.org/packages/fedrepo-req/1.5.0/2.fc28/data/signed/9db62fb1/noarch/fedrepo-req-1.5.0-2.fc28.noarch.rpm These are culled when they are no longer tagged into active release tags, but if they are recent enough there should be a written out signed rpm. > I think this is a great suggestion. The reason it's implemented like > this is because I had no idea where to get those signed packages. koji download-build also has a option to download signed packages: --key=KEY Download rpms signed with the given key > Secondly, I think this could indeed be handy for folks running rawhide > or branched, but I worry about people on stable releases mistakenly > using it and upgrading a chunk of their install to rawhide when they > didn't realize it would do that. Not sure how to prevent that though, > perhaps a warning in some cases? > > > I like this suggestion. I opened an upstream issue for that: > > https://github.com/TomasTomecek/fed-install/issues/3 Thanks! kevin
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
