On Tue, 2008-04-15 at 08:47 -0400, Chuck Anderson wrote: > On Tue, Apr 15, 2008 at 08:31:37AM -0400, seth vidal wrote: > > How would people feel if we didn't sign pkgs at all? What if we made > > repodata and only signed the repomd.xml? And we made the checksum for > > the packages sha256 or sha512? > > > > Then we'd have: > > - signed repomd.xml > > - verify primary metadata against signed repomd.xml > > - verify package checksums against primary > > > > How would people feel about that? > > That would be better than nothing for e.g. rawhide, but getting rid of > individual package signatures where they are already used I think > would be bad. It is useful to be able to check an individual, > isolated package. Also, you'd lose the verifiability of old packages > as soon as an updated on came out and the repodata was regenerated for > the newest packages. So what if we auto-signed packages as just 'coming from koji'. Nothing more? That'd be enough to know the pkg came from a trusted source. -sv -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
