[Yum] Re: CLI switch to disable GPG
Florin Andrei
florin at andrei.myip.org
Sat Jul 16 17:57:31 UTC 2005
On Sat, 2005-07-16 at 13:18 -0400, Tom Diehl wrote:
> On Sat, 16 Jul 2005, Florin Andrei wrote:
> >
> > The big repos are using GPG, but people who just happen to maintain a
> > few RPMs very rarely do.
>
> Ok, but what is wrong with adding gpgcheck=0 to the repo you do not want
> the checks to be done on?
That repo is typically Fedora itself ;-) (that's the one that 'yum
localinstall' is typically calling) and I do not want to grab Fedora
packages from a mirror in the neck of the woods somewhere, and the
packages be compromised.
> OTOH, if you trust them enough to install the
> packages in the first place, why not just sign the packages yourself. At
> least then you are reasonably sure the package you think you are installing
> is the one that gets installed.
I did not know that it was possible to sign a package after it was
built. I see now, I think it's the "Signing A Package" section in the
rpm man page. Thanks.
But anyway, it still a minor hassle from the user's p.o.v. I know many
semi-educated people who can grasp the "concept" of doing 'yum
localinstall' but who would balk at self-signing packages.
Since yum is all about simplifying package management, I thought it
would make sense to add a flag to skip the GPG defaults when the
situation requires it.
Anyway, it was just a thought...
--
Florin Andrei
http://florin.myip.org/
More information about the Yum
mailing list