seth vidal wrote:
On Tue, 2007-08-07 at 12:19 -0400, Bret McMillan wrote:
seth vidal wrote:
Hi folks,
So I'm trying to put the repomd.xml signing into yum and I'm stuck on a
non-code issue - it's more about policy.
So if you have a repo like:
[foo]
name=foo
baseurl=...
gpgcheck=1
and the repomd.xml is NOT signed do we fail out?
now, my initial response is yes, but it means all those repos with
unsigned repomd.xml will suddenly fail even though the pkgs are signed.
If we don't fail out then we have to add _something_ to tell the repo to
also fail on invalid repomd.xml signature. I don't like this option
overly much but not failing on a gpg signature missing seems like the
wrong thing, too.
suggestions welcome?
I guess for legacy-support reasons I'd expect this not to be owned by
the same gpgcheck option. Personally, I'd add a new option, but default
it to on.
that means a yum 3.2.X update for f7 would need to be patched to default
to off, I think.
maybe this feature is best post-development branching rather than 3.2.X
May be the best solution is to stick to just "gpgcheck" and update
createrepo right now and tell everybody to fix their repo creation process.
We can then change the yum behavior for the major release 3.3.0 and ship it
only for a new release of Fedora (8 or 9) (and tell all other distributions
to do the same).
Florian
_______________________________________________
Yum-devel mailing list
[email protected]
https://lists.dulug.duke.edu/mailman/listinfo/yum-devel
