[Rpm-metadata] detached gpg signature on repomd.xml

seth vidal skvidal at linux.duke.edu
Sat Aug 26 16:30:18 UTC 2006


Hi folks,
 as a result of a rather lengthy and ranging discussion elsewhere it
came out that a gpg signature of repomd.xml would heighten the security
of using these type of repositories.

I was wondering if anyone had any objection to this and/or any interest
in working on the code to do it. Though, to be honest I had considered
doing one of the following:

 - using the GPG.py interface mentioned here:   
         http://wiki.python.org/moin/GnuPrivacyGuard
 - using pyme (python gpg made easy) it's a python+gpgme+swig interface
 - just calling the gpg command to sign and create the sig file as the
last step of the repository creation process.

Luke? Paul? What do you think?

-sv





More information about the Rpm-metadata mailing list