On Tue, 2008-04-15 at 07:44 -0500, Jeffrey Ollie wrote: > The problem there is that this system breaks down if the packages get > disassociated from their "original" repository. For example, I've > thought about making a custom version of Fedora for work every now and > the - right now the only changes would be different logos and artwork > and maybe some defaults. Currenly, 99% of the packages in my version > of Fedora would have the Fedora signatures on them and the users of my > version of Fedora could trust that I hadn't changed them in some way > from what was in Fedora. If the signatures only lived in the repodata > my users wouldn't be able to check that because I would need to > regenerate the repodata and I woudn't be able to sign my repodata with > the same key that Fedora uses. What if all packages that came out of koji were autosigned? Then you'd know where they were from but you'd need to verify them against their metadata to see if they were 'trusted' in another sense. -sv -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
