Re: Rawhide issues

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 2008-04-15 at 08:47 -0400, Chuck Anderson wrote:
> On Tue, Apr 15, 2008 at 08:31:37AM -0400, seth vidal wrote:
> > How would people feel if we didn't sign pkgs at all? What if we made
> > repodata and only signed the repomd.xml? And we made the checksum for
> > the packages sha256 or sha512?
> > 
> > Then we'd have:
> >  - signed repomd.xml
> >  - verify primary metadata against signed repomd.xml
> >  - verify package checksums against primary
> > 
> > How would people feel about that?
> 
> That would be better than nothing for e.g. rawhide, but getting rid of 
> individual package signatures where they are already used I think 
> would be bad.  It is useful to be able to check an individual, 
> isolated package.  Also, you'd lose the verifiability of old packages 
> as soon as an updated on came out and the repodata was regenerated for 
> the newest packages.

So what if we auto-signed packages as just 'coming from koji'. Nothing
more?

That'd be enough to know the pkg came from a trusted source.

-sv



-- 
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux