[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: yum GPG verify and package sigs...

From: Matthew Miller <mattdm mattdm org>
To: List for Fedora Package Maintainers <fedora-maintainers redhat com>
Subject: Re: yum GPG verify and package sigs...
Date: Sat, 23 Jul 2005 09:49:29 -0400

On Sat, Jul 23, 2005 at 01:20:24AM -1000, Warren Togami wrote:
> I *like* that yum enforces this strictly, but are there any good reasons 
> why we should allow packages in a repo to be signed by two or more valid 
> keys rather than a single key?
[...]
> Did we screw up by not resigning everything in base before pushing FC4, 
> or is this really a yum config problem?
> Any ideas how we should fix this now?  Should we resign the entire repo 
> and push that to mirrors?
[...]

> Or maybe less radically update yum so the repo file allows both keys? 
> (Use this as a one-time kludge for FC4, and in the future make sure each 
> repo uses *one* key.)

The very latest version of yum, 2.3.4, can handle multiple GPG keys. FC4 has
2.3.2; perhaps updating it is the easiest solution.


-- 
Matthew Miller           mattdm mattdm org        <http://www.mattdm.org/>
Boston University Linux      ------>                <http://linux.bu.edu/>
Current office temperature: 78 degrees Fahrenheit.

References:
- yum GPG verify and package sigs...
  - From: Warren Togami

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]