On Tue, 2007-07-03 at 17:37 -0400, seth vidal wrote: > so if we're checking the repomd.xml for a gpg signature - why do we have > to check package signatures, too?
Because we're paranoid. And just because the repomd.xml is signed doesn't give any guarantees at all about what key the packages were signed with. Jeremy _______________________________________________ Yum-devel mailing list [email protected] https://lists.dulug.duke.edu/mailman/listinfo/yum-devel
