On Tue, Apr 15, 2008 at 7:31 AM, seth vidal <skvidal@xxxxxxxxxxxxxxxxx> wrote: > > How would people feel if we didn't sign pkgs at all? What if we made > repodata and only signed the repomd.xml? And we made the checksum for > the packages sha256 or sha512? > > Then we'd have: > - signed repomd.xml > - verify primary metadata against signed repomd.xml > - verify package checksums against primary > > How would people feel about that? The problem there is that this system breaks down if the packages get disassociated from their "original" repository. For example, I've thought about making a custom version of Fedora for work every now and the - right now the only changes would be different logos and artwork and maybe some defaults. Currenly, 99% of the packages in my version of Fedora would have the Fedora signatures on them and the users of my version of Fedora could trust that I hadn't changed them in some way from what was in Fedora. If the signatures only lived in the repodata my users wouldn't be able to check that because I would need to regenerate the repodata and I woudn't be able to sign my repodata with the same key that Fedora uses. Jeff -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
