[Rpm-metadata] detached gpg signature on repomd.xml
seth vidal
skvidal at linux.duke.edu
Sat Aug 26 16:30:18 UTC 2006
Hi folks,
as a result of a rather lengthy and ranging discussion elsewhere it
came out that a gpg signature of repomd.xml would heighten the security
of using these type of repositories.
I was wondering if anyone had any objection to this and/or any interest
in working on the code to do it. Though, to be honest I had considered
doing one of the following:
- using the GPG.py interface mentioned here:
http://wiki.python.org/moin/GnuPrivacyGuard
- using pyme (python gpg made easy) it's a python+gpgme+swig interface
- just calling the gpg command to sign and create the sig file as the
last step of the repository creation process.
Luke? Paul? What do you think?
-sv
More information about the Rpm-metadata
mailing list