On Tue, Apr 15, 2008 at 8:31 AM, seth vidal <skvidal@xxxxxxxxxxxxxxxxx> wrote: > > How would people feel if we didn't sign pkgs at all? What if we made > repodata and only signed the repomd.xml? And we made the checksum for > the packages sha256 or sha512? > > Then we'd have: > - signed repomd.xml > - verify primary metadata against signed repomd.xml > - verify package checksums against primary I think this makes sense. -- Colin, who long ago implemented essentially this scheme for apt-get -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
