On Tue, Jul 03, 2007 at 12:04:47PM -0400, seth vidal wrote: > On Tue, 2007-07-03 at 07:39 -0400, James Bowes wrote: > > On Tue, Jul 03, 2007 at 12:54:12AM -0400, seth vidal wrote: > > > 1. gpg keyring outside of the rpmdb for verifying the repomd.xml > > > - we could do either: > > > 1. make gpg keyring on the fly from the pubkey entries in the > > > rpmdb and > > > save it > > > 2. when we import the gpg keys to begin with we also import them > > > into this > > > gpg keyring > > > > While 1 sounds so terribly icky, I can imagine a case where somebody > > might import a gpg key by hand, bypassing yum's chance to import the key > > into its own keyring. So perhaps 1 is the better option. > > And it lets us handle people who are upgrading to a version of yum that > supports this. > > I've written a simple little 'import all keys from the rpmdb into one > gpg keyring per key' script. It's very simple but should be very do-able > to import for yum's use. > > http://linux.duke.edu/~skvidal/useful-scripts/import-to-keyrings.py > > James and I were talking on jabber about where things should go. He > suggested putting things in a single keyring for all of yum > in /var/cache/yum somewhere. This sounds reasonable to me. Any other
/var/cache doesnt seem like a good place to be putting keyrings. I thought that the intent behind /var/cache/ was that you could delete it and things would still work? Next question: are you implementing this in a way that is compatible with the way that SUSE signs repos? I just implemented signed repos on my repos and would hate to have to redo things just because yum does it differently. SUSE expects repomd.xml.asc and repomd.xml.key. If the signature isnt already in the db, it will download repomd.xml.key and offer to import that for you. -- Michael _______________________________________________ Yum-devel mailing list [email protected] https://lists.dulug.duke.edu/mailman/listinfo/yum-devel
