On Tue, 2008-04-15 at 12:53 +0200, Till Maas wrote: > On Tue April 15 2008, Richard Hughes wrote: > > On Tue, 2008-04-15 at 00:14 -0400, Jesse Keating wrote: > > > I've prevented rawhide from being composed again until we're done > > > signing packages > > > > Can't we just sign all rawhide packages in the future? Installing > > unsigned rawhide rpms from dubious looking mirrors makes me feel dirty > > inside. :-) > > Afaik Sigul, an automated gpg signing system, needs to be finished / tested > before this will happen: > https://fedorahosted.org/sigul > How would people feel if we didn't sign pkgs at all? What if we made repodata and only signed the repomd.xml? And we made the checksum for the packages sha256 or sha512? Then we'd have: - signed repomd.xml - verify primary metadata against signed repomd.xml - verify package checksums against primary How would people feel about that? -sv -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
