[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: YUM security issues...



On Mon, 2008-07-28 at 12:07 -0500, Matt Domsch wrote:
> 1. repomd.xml needs to be signed. Either attached or detached sig
>    (advice sought).  If attached, format would be

I would prefer a detached sig, so that the checksum of repomd.xml itself
doesn't change if the GPG sig for it does.  This is important as there
are control files in the compose to track consistency of the tree
itself, and having the repomd.xml change it's key would invalidate this
control file.

-- 
Jesse Keating
Fedora -- FreedomĀ² is a feature!

Attachment: signature.asc
Description: This is a digitally signed message part


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]