Rawhide issues

seth vidal skvidal at fedoraproject.org
Tue Apr 15 12:50:29 UTC 2008


On Tue, 2008-04-15 at 08:47 -0400, Chuck Anderson wrote:
> On Tue, Apr 15, 2008 at 08:31:37AM -0400, seth vidal wrote:
> > How would people feel if we didn't sign pkgs at all? What if we made
> > repodata and only signed the repomd.xml? And we made the checksum for
> > the packages sha256 or sha512?
> > 
> > Then we'd have:
> >  - signed repomd.xml
> >  - verify primary metadata against signed repomd.xml
> >  - verify package checksums against primary
> > 
> > How would people feel about that?
> 
> That would be better than nothing for e.g. rawhide, but getting rid of 
> individual package signatures where they are already used I think 
> would be bad.  It is useful to be able to check an individual, 
> isolated package.  Also, you'd lose the verifiability of old packages 
> as soon as an updated on came out and the repodata was regenerated for 
> the newest packages.

So what if we auto-signed packages as just 'coming from koji'. Nothing
more?

That'd be enough to know the pkg came from a trusted source.

-sv






More information about the fedora-devel-list mailing list