On Tue, 2007-08-07 at 12:19 -0400, Bret McMillan wrote: > seth vidal wrote: > > Hi folks, > > So I'm trying to put the repomd.xml signing into yum and I'm stuck on a > > non-code issue - it's more about policy. > > > > So if you have a repo like: > > > > [foo] > > name=foo > > baseurl=... > > gpgcheck=1 > > > > > > and the repomd.xml is NOT signed do we fail out? > > > > now, my initial response is yes, but it means all those repos with > > unsigned repomd.xml will suddenly fail even though the pkgs are signed. > > > > If we don't fail out then we have to add _something_ to tell the repo to > > also fail on invalid repomd.xml signature. I don't like this option > > overly much but not failing on a gpg signature missing seems like the > > wrong thing, too. > > > > suggestions welcome? > > I guess for legacy-support reasons I'd expect this not to be owned by > the same gpgcheck option. Personally, I'd add a new option, but default > it to on. >
that means a yum 3.2.X update for f7 would need to be patched to default to off, I think. maybe this feature is best post-development branching rather than 3.2.X -sv _______________________________________________ Yum-devel mailing list [email protected] https://lists.dulug.duke.edu/mailman/listinfo/yum-devel
