Zbigniew Jędrzejewski-Szmek wrote:
> In more mundane words: a signature will be shipped in the rpm for each
> file separately? And what will be done with this signature on the
> destination machine: will it be kept in the rpms database or something
> more?
As I understand it, yes.
> What is the overhead on packed rpm size, rpm database, on-disk
> installation?
Huge, see Panu Matilainen's comment in this thread.
> I don't think we should forbid opt-in verification, no matter if
> centrally managed or not. It's not 1995 and people have fleets of machines
> that are centrally managed...
If it is locally centrally managed, that means people are using their own
signatures and don't need Fedora to put them into the RPMs.
> ... but that is a good question. The "Benefit to Fedora" to Fedora doesn't
> actually explain why those signatures are better than the ones we already
> have.
I guess it is to comply with some standard that absolutely needs per-file
signatures.
rpm -V can already verify the integrity of each file by checking the file's
cryptographic checksum that is signed (as a part of the package contents)
with the package signature.
Kevin Kofler
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
