On Tue, 2007-07-03 at 19:39 -0400, Jeremy Katz wrote: > On Tue, 2007-07-03 at 17:37 -0400, seth vidal wrote: > > so if we're checking the repomd.xml for a gpg signature - why do we have > > to check package signatures, too? > > Because we're paranoid. And just because the repomd.xml is signed > doesn't give any guarantees at all about what key the packages were > signed with. >
Well, to be clear we don't check which key a package is signed with now. Only that the key it is signed with is in the rpmdb. That narrows the field, of course. -sv _______________________________________________ Yum-devel mailing list [email protected] https://lists.dulug.duke.edu/mailman/listinfo/yum-devel
