Rawhide issues

Colin Walters walters at verbum.org
Tue Apr 15 12:45:31 UTC 2008


On Tue, Apr 15, 2008 at 8:31 AM, seth vidal <skvidal at fedoraproject.org> wrote:
>
>  How would people feel if we didn't sign pkgs at all? What if we made
>  repodata and only signed the repomd.xml? And we made the checksum for
>  the packages sha256 or sha512?
>
>  Then we'd have:
>   - signed repomd.xml
>   - verify primary metadata against signed repomd.xml
>   - verify package checksums against primary

I think this makes sense.

-- Colin, who long ago implemented essentially this scheme for apt-get




More information about the fedora-devel-list mailing list