Rawhide issues

Jeffrey Ollie jeff at ocjtech.us
Tue Apr 15 12:44:21 UTC 2008


On Tue, Apr 15, 2008 at 7:31 AM, seth vidal <skvidal at fedoraproject.org> wrote:
>
>  How would people feel if we didn't sign pkgs at all? What if we made
>  repodata and only signed the repomd.xml? And we made the checksum for
>  the packages sha256 or sha512?
>
>  Then we'd have:
>   - signed repomd.xml
>   - verify primary metadata against signed repomd.xml
>   - verify package checksums against primary
>
>  How would people feel about that?

The problem there is that this system breaks down if the packages get
disassociated from their "original" repository.  For example, I've
thought about making a custom version of Fedora for work every now and
the - right now the only changes would be different logos and artwork
and maybe some defaults.  Currenly, 99% of the packages in my version
of Fedora would have the Fedora signatures on them and the users of my
version of Fedora could trust that I hadn't changed them in some way
from what was in Fedora.  If the signatures only lived in the repodata
my users wouldn't be able to check that because I would need to
regenerate the repodata and I woudn't be able to sign my repodata with
the same key that Fedora uses.

Jeff




More information about the fedora-devel-list mailing list