On Mon, 2008-07-28 at 12:07 -0500, Matt Domsch wrote: > 1. repomd.xml needs to be signed. Either attached or detached sig > (advice sought). If attached, format would be I would prefer a detached sig, so that the checksum of repomd.xml itself doesn't change if the GPG sig for it does. This is important as there are control files in the compose to track consistency of the tree itself, and having the repomd.xml change it's key would invalidate this control file. -- Jesse Keating Fedora -- Freedom² is a feature!
Description: This is a digitally signed message part