[Yum-devel] gpg signature checking repomd.xml
seth vidal
skvidal at fedoraproject.org
Wed Aug 8 05:33:58 UTC 2007
On Tue, 2007-08-07 at 18:42 +0200, Florian Festi wrote:
> seth vidal wrote:
> > On Tue, 2007-08-07 at 12:19 -0400, Bret McMillan wrote:
> >> seth vidal wrote:
> >>> Hi folks,
> >>> So I'm trying to put the repomd.xml signing into yum and I'm stuck on a
> >>> non-code issue - it's more about policy.
> >>>
> >>> So if you have a repo like:
> >>>
> >>> [foo]
> >>> name=foo
> >>> baseurl=...
> >>> gpgcheck=1
> >>>
> >>>
> >>> and the repomd.xml is NOT signed do we fail out?
> >>>
> >>> now, my initial response is yes, but it means all those repos with
> >>> unsigned repomd.xml will suddenly fail even though the pkgs are signed.
> >>>
> >>> If we don't fail out then we have to add _something_ to tell the repo to
> >>> also fail on invalid repomd.xml signature. I don't like this option
> >>> overly much but not failing on a gpg signature missing seems like the
> >>> wrong thing, too.
> >>>
> >>> suggestions welcome?
> >> I guess for legacy-support reasons I'd expect this not to be owned by
> >> the same gpgcheck option. Personally, I'd add a new option, but default
> >> it to on.
> >>
> >
> > that means a yum 3.2.X update for f7 would need to be patched to default
> > to off, I think.
> >
> > maybe this feature is best post-development branching rather than 3.2.X
>
> May be the best solution is to stick to just "gpgcheck" and update
> createrepo right now and tell everybody to fix their repo creation process.
> We can then change the yum behavior for the major release 3.3.0 and ship it
> only for a new release of Fedora (8 or 9) (and tell all other distributions
> to do the same).
>
'everybody' is an amazing number of people many of whom we cannot reach.
-sv
More information about the Yum-devel
mailing list