[Yum-devel] gpg signature checking repomd.xml
Bret McMillan
bretm at redhat.com
Tue Aug 7 16:19:45 UTC 2007
seth vidal wrote:
> Hi folks,
> So I'm trying to put the repomd.xml signing into yum and I'm stuck on a
> non-code issue - it's more about policy.
>
> So if you have a repo like:
>
> [foo]
> name=foo
> baseurl=...
> gpgcheck=1
>
>
> and the repomd.xml is NOT signed do we fail out?
>
> now, my initial response is yes, but it means all those repos with
> unsigned repomd.xml will suddenly fail even though the pkgs are signed.
>
> If we don't fail out then we have to add _something_ to tell the repo to
> also fail on invalid repomd.xml signature. I don't like this option
> overly much but not failing on a gpg signature missing seems like the
> wrong thing, too.
>
> suggestions welcome?
I guess for legacy-support reasons I'd expect this not to be owned by
the same gpgcheck option. Personally, I'd add a new option, but default
it to on.
--Bret
More information about the Yum-devel
mailing list