On Fri, Mar 20, 2020 at 8:35 AM Neal Gompa <ngomp...@gmail.com> wrote:
> On Thu, Mar 19, 2020 at 11:14 PM Dennis Kliban <dkli...@redhat.com> wrote: > > > > RPM plugin allows users to define a signing service per repository. All > publications created from repository versions of that repository are signed > with that signing service. > > > > The Debian plugin requires the user to specify the signing service each > time a publication is created. The signing service foreign key is stored > with each publication. > > > > Even though the implementation in Debian requires the user to provide > the service href each time a publication is created, it seems like a > stronger model. The signing service associated with a repository can change > thus making it challenging to keep track of which signing service was used > to create a publication. > > > > We should change the behavior in the RPM plugin before we release this > feature. > > Isn't the reason for the difference that Debian repos only have > repodata signed and not packages? > > I guess technically we could use different GPG keys for each > repository publish, but that would lead to multiple copies of the same > RPM with different data, since the expectation is that both RPMs and > the repodata should be signed for RPM repositories. > > The RPM plugin does not currently provide the ability to sign packages. This discussion is only about singing the metadata. > > -- > 真実はいつも一つ!/ Always, there's only one truth! > >
_______________________________________________ Pulp-dev mailing list Pulp-dev@redhat.com https://www.redhat.com/mailman/listinfo/pulp-dev