[Yum-devel] gpg signature checking repomd.xml
seth vidal
skvidal at fedoraproject.org
Tue Aug 7 15:48:19 UTC 2007
Hi folks,
So I'm trying to put the repomd.xml signing into yum and I'm stuck on a
non-code issue - it's more about policy.
So if you have a repo like:
[foo]
name=foo
baseurl=...
gpgcheck=1
and the repomd.xml is NOT signed do we fail out?
now, my initial response is yes, but it means all those repos with
unsigned repomd.xml will suddenly fail even though the pkgs are signed.
If we don't fail out then we have to add _something_ to tell the repo to
also fail on invalid repomd.xml signature. I don't like this option
overly much but not failing on a gpg signature missing seems like the
wrong thing, too.
suggestions welcome?
-sv
More information about the Yum-devel
mailing list