On Fri, 29 Oct 2004, Nils Philippsen wrote: > On Fri, 2004-10-29 at 11:06 -0600, Rodolfo J. Paiz wrote: > > > That being said, let me take your points one by one: > > > > 1. Replace something that worked well for years. What was the > > mechanism previously that let me verify that the updated kernel RPM on > > Mirror X was a bit-identical copy of the one actually published by Red > > Hat? I know how to verify ISO's but know of nothing that verifies a > > package was not tampered with after being placed on a mirror. > > This is an old snapshot of Rawhide but serves well nonetheless: > > nils@gibraltar:/misc/scratch/rawhide/i386/Fedora/RPMS> rpm -K rpmdb-fedora-1.91-0.20040325.i386.rpm bash-2.05b-38.i386.rpm > rpmdb-fedora-1.91-0.20040325.i386.rpm: sha1 md5 OK > bash-2.05b-38.i386.rpm: (sha1) dsa sha1 md5 gpg OK > > See? I can verify that the bash package is signed with one of the keys I > have in the keyring. Granted that I can't see (here) which key it was > signed with Actually, you can, using 'rpm -Kv'. :-) -- Elliot