Rawhide issues
seth vidal
skvidal at fedoraproject.org
Tue Apr 15 12:50:29 UTC 2008
On Tue, 2008-04-15 at 08:47 -0400, Chuck Anderson wrote:
> On Tue, Apr 15, 2008 at 08:31:37AM -0400, seth vidal wrote:
> > How would people feel if we didn't sign pkgs at all? What if we made
> > repodata and only signed the repomd.xml? And we made the checksum for
> > the packages sha256 or sha512?
> >
> > Then we'd have:
> > - signed repomd.xml
> > - verify primary metadata against signed repomd.xml
> > - verify package checksums against primary
> >
> > How would people feel about that?
>
> That would be better than nothing for e.g. rawhide, but getting rid of
> individual package signatures where they are already used I think
> would be bad. It is useful to be able to check an individual,
> isolated package. Also, you'd lose the verifiability of old packages
> as soon as an updated on came out and the repodata was regenerated for
> the newest packages.
So what if we auto-signed packages as just 'coming from koji'. Nothing
more?
That'd be enough to know the pkg came from a trusted source.
-sv
More information about the fedora-devel-list
mailing list