Re: Should Fedora rpms be signed?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> Just don't let yum install packages that aren't signed.  How about you
> start a rawhide mirror with the following properties: if a package is
> not signed, it won't be in your mirror; you'll keep the previous
> version of such package instead.


Then it would not be a rawhide mirror. It would be a rawhide distortion.

mirror implies an identical reflection. :)

> An alternative is to script a yum wrapper that, when encountering an
> unsigned package, automatically excludes that and retries, until you
> get only signed packages installed.  Heck, wouldn't it be way so cool
> if yum could do it all by itself?

You could download the header from the package and look beyond it to see
if there are any non-md5/sha1 signatures and if any of those are gpg
signatures. However, you won't be able to know if it passes the sig
check w/o downloading the whole package. And boy would that suck for the
user.

> It's unlikely that signed packages will have dependencies on unsigned
> packages, because of the way signing is done, so odds are that, given
> daily rawhide pushes, you'd be able to move forward quite regularly.

except that testing would crawl to a halt on the unsigned packages.

> > If yum could provide a lesser degree of verification, by verifying
> > checksums instead of signatures, this wouldn't be a bad thing?
> 
> Err...  Doesn't it?  up2date does, and so does rpm.

yum checks the package checksum and the file checksum, yes.

-sv



[Index of Archives]     [Fedora Desktop]     [Fedora SELinux]     [Photo Sharing]     [Yosemite Forum]     [KDE Users]