On Oct 26, 2004, seth vidal <skvidal@xxxxxxxxxxxx> wrote: >> Just don't let yum install packages that aren't signed. How about >> you start a rawhide mirror with the following properties: if a >> package is not signed, it won't be in your mirror; you'll keep the >> previous version of such package instead. > Then it would not be a rawhide mirror. It would be a rawhide distortion. > mirror implies an identical reflection. :) Well, not quite. Plane mirrors do. And, even then, there's a small delay for the light to get from you to the mirror and back, so when you see your image in the mirror, you're no longer what you're seeing there :-) This wouldn't be that different :-) > You could download the header from the package and look beyond it to see > if there are any non-md5/sha1 signatures and if any of those are gpg > signatures. However, you won't be able to know if it passes the sig > check w/o downloading the whole package. And boy would that suck for the > user. No dispute here. But if it could, later on, realize that the package was signed and use http interval fetch tricks to obtain only the signature, it would be way cool. >> It's unlikely that signed packages will have dependencies on unsigned >> packages, because of the way signing is done, so odds are that, given >> daily rawhide pushes, you'd be able to move forward quite regularly. > except that testing would crawl to a halt on the unsigned packages. Which would be a good reason for the key bearers :-) to actually sign packages that go to rawhide more often. -- Alexandre Oliva http://www.ic.unicamp.br/~oliva/ Red Hat Compiler Engineer aoliva@{redhat.com, gcc.gnu.org} Free Software Evangelist oliva@{lsd.ic.unicamp.br, gnu.org}