[Rpm-metadata] release/repo file - more stuff
Jeff Johnson
n3npq at nc.rr.com
Fri Nov 14 17:04:34 UTC 2003
seth vidal wrote:
>I'm not sure how useful this is for apt-deb b/c I'm not sure how debs
>handle gpg signatures.
>
>But would it be useful to add, to the common metadata, an optional
>location for a gpg public key that the packages are signed with.
>
><repository>
> <name>..</name>
> <key type="gpg" url="http://complete-url"/>
> ...
></repository>
>
>maybe let that be listed multiple times for multiple keys...
>
>thoughts, should this be in a namespace or would it be useful for
>debian/apt as well?
>
There's more to key distribution than just listing a URI. What is needed
first is some
thought on why anyone should trust the URI encoded in metadata XML.
Then there's HKP transport from key servers that will need coding,
location of local key ring,
editing of trust bit, vetting web-of-trust or CA's, the last quickly
becomes endless.
All very very tedious and blah.
I wouldn't bother with pubkey location until you figger out XMLsec for
the metadata itself.
That would seem to be reasonable precursor to advertising remote
locations for pubkeys.
XMLsec for metadata is gonna be non-trivial though. And pubkeys are
headed for packages,
either in files or in metadata.
73 de Jeff
More information about the Rpm-metadata
mailing list