[Yum-devel] gpg signature checking repomd.xml

seth vidal skvidal at fedoraproject.org
Wed Aug 8 05:33:58 UTC 2007


On Tue, 2007-08-07 at 18:42 +0200, Florian Festi wrote:
> seth vidal wrote:
> > On Tue, 2007-08-07 at 12:19 -0400, Bret McMillan wrote:
> >> seth vidal wrote:
> >>> Hi folks,
> >>>  So I'm trying to put the repomd.xml signing into yum and I'm stuck on a
> >>> non-code issue - it's more about policy.
> >>>
> >>> So if you have a repo like:
> >>>
> >>> [foo]
> >>> name=foo
> >>> baseurl=...
> >>> gpgcheck=1
> >>>
> >>>
> >>> and the repomd.xml is NOT signed do we fail out? 
> >>>
> >>> now, my initial response is yes, but it means all those repos with
> >>> unsigned repomd.xml will suddenly fail even though the pkgs are signed.
> >>>
> >>> If we don't fail out then we have to add _something_ to tell the repo to
> >>> also fail on invalid repomd.xml signature. I don't like this option
> >>> overly much but not failing on a gpg signature missing seems like the
> >>> wrong thing, too.
> >>>
> >>> suggestions welcome?
> >> I guess for legacy-support reasons I'd expect this not to be owned by 
> >> the same gpgcheck option.  Personally, I'd add a new option, but default 
> >> it to on.
> >>
> > 
> > that means a yum 3.2.X update for f7 would need to be patched to default
> > to off, I think.
> > 
> > maybe this feature is best post-development branching rather than 3.2.X
> 
> May be the best solution is to stick to just "gpgcheck" and update 
> createrepo right now and tell everybody to fix their repo creation process. 
> We can then change the yum behavior for the major release 3.3.0 and ship it 
> only for a new release of Fedora (8 or 9) (and tell all other distributions 
> to do the same).
> 

'everybody' is an amazing number of people many of whom we cannot reach.

-sv





More information about the Yum-devel mailing list