On Tue, Apr 15, 2008 at 08:31:37AM -0400, seth vidal wrote: > How would people feel if we didn't sign pkgs at all? What if we made > repodata and only signed the repomd.xml? And we made the checksum for > the packages sha256 or sha512? > > Then we'd have: > - signed repomd.xml > - verify primary metadata against signed repomd.xml > - verify package checksums against primary > > How would people feel about that? That would be better than nothing for e.g. rawhide, but getting rid of individual package signatures where they are already used I think would be bad. It is useful to be able to check an individual, isolated package. Also, you'd lose the verifiability of old packages as soon as an updated on came out and the repodata was regenerated for the newest packages. -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
