On Fri, 2004-10-29 at 19:37 +0200, Nils Philippsen wrote: > On Fri, 2004-10-29 at 11:06 -0600, Rodolfo J. Paiz wrote: [snip] > > I see no downside. Since you do, can you provide more detail on what and > > why? > > I see no downside in repo metadata signing either, it's a good thing > actually. But it is not an argument on why packages shouldn't be signed > individually. Um...did I miss something? I didn't see anyone suggest *replacing* package signing with repo metadata signing. It's just an added measure to help ensure that what is on the mirrors is what is on the official Red Hat repo. Granted, you still need yum or up2date to use that information, but it's still a net gain. In particular for when some packages don't get signed, which seems to be what this thread is about (today, anyhow ;-)). At least, I sure *hope* no one was suggesting foregoing package signing. Cuz that would be bad. :-) -- -Paul Iadonisi Senior System Administrator Red Hat Certified Engineer / Local Linux Lobbyist Ever see a penguin fly? -- Try Linux. GPL all the way: Sell services, don't lease secrets