[Yum-devel] pygpgme and yum

seth vidal skvidal at linux.duke.edu
Tue Jul 3 21:37:57 UTC 2007


On Tue, 2007-07-03 at 12:04 -0400, seth vidal wrote:
> On Tue, 2007-07-03 at 07:39 -0400, James Bowes wrote:
> > On Tue, Jul 03, 2007 at 12:54:12AM -0400, seth vidal wrote:
> > > 1. gpg keyring outside of the rpmdb for verifying the repomd.xml
> > >    - we could do either:
> > >       1. make  gpg keyring on the fly from the pubkey entries in the
> > > rpmdb and 
> > >          save it
> > >       2. when we import the gpg keys to begin with we also import them
> > > into this 
> > >          gpg keyring
> > 
> > While 1 sounds so terribly icky, I can imagine a case where somebody
> > might import a gpg key by hand, bypassing yum's chance to import the key
> > into its own keyring. So perhaps 1 is the better option.
> 
> And it lets us handle people who are upgrading to a version of yum that
> supports this.
> 
> I've written a simple little 'import all keys from the rpmdb into one
> gpg keyring per key' script. It's very simple but should be very do-able
> to import for yum's use. 
> 
> http://linux.duke.edu/~skvidal/useful-scripts/import-to-keyrings.py
> 
> James and I were talking on jabber about where things should go. He
> suggested putting things in a single keyring for all of yum
> in /var/cache/yum somewhere. This sounds reasonable to me. Any other
> thoughts on it?
> 

Alright in the continuation of silly thoughts:
if we have a signed and valid repomd.xml (or a detached signature)
that lets us know that the repomd.xml was made by people we trust
(ostensibly)
the checksums in there lets us know that the primary, filelists, groups
and other metadata. The checksums in THOSE lets us know that the pkgs
are valid.

so if we're checking the repomd.xml for a gpg signature - why do we have
to check package signatures, too?

-sv






More information about the Yum-devel mailing list