On Fri, Jun 11, 2021 at 11:46:42AM -0400, Neal Gompa wrote: > > I would like repos signed even if we don't enable it in the repo > definitions by default for now. That would make it possible for my Open > Build Service instance to validate Fedora content for package builds > (it can't use metalinks or mirrorlists, but it can check and validate > signed repodata). I asked CentOS years ago to do this for the same > reason, and they did it[1]. Sure, and when we can we can... but I don't think it should be prioritzed over work that actually has wider benifits. > > Also, not having it available has made it *very* hard to prioritize > getting the issues fixed in DNF. So being able to improve this is > predicated on the existence of signed metadata. This seems odd to me. I mean, it can't be hard to setup a test repo, is it? I suspect we could even ask QE folks to do some testing and map out the issues they find. I don't think it's nice/ethical to break users just as a means to make bugs we want to have fixed higher priority. Anyhow, we are pretty off topic for this thread, so I'll try and stop... kevin
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
