On Fri, 5 Nov 2004, seth vidal wrote: > This is just based on keys in your rpmdb. > > The idea is this: > > if you have 3 repos available to yum. > > They are signed with 3 separate gpg keys. So you've imported all the > keys into your rpmdb. The whole point of the feature I described before > is so you can say: > > the only packages I want from this repository are signed with _this_ > key. If you get a package from this repository that is signed with any > other key, even if I have that key in my rpmdb, don't trust it. Ok - here you are saying EACH package is signed. And this pacakge signature is the one thats compared. The inferences I get from the above are: - all packages from all repos should be signed (ideally) - if an unsigned package is part of the dep-resolve list - then yum just aborts the transaction - (Obviously - the main feature) if the 'key' doesn't match the one seecified for this repo in yum.conf - the transaction is aborted. I do like this new feature. A couple of questions remain. - Where does sigining 'metadata' fit in here? - And this scheme would require rawhide pacakges also to be signed with some key. (or am I misreading this?) thanks, Satish