On Tue, 2007-08-07 at 11:48 -0400, seth vidal wrote: > Hi folks, > So I'm trying to put the repomd.xml signing into yum and I'm stuck on a > non-code issue - it's more about policy. > > So if you have a repo like: > > [foo] > name=foo > baseurl=... > gpgcheck=1 > > and the repomd.xml is NOT signed do we fail out? > > now, my initial response is yes, but it means all those repos with > unsigned repomd.xml will suddenly fail even though the pkgs are signed.
Well the other side is having to explain to people, over the next X years, why gpgcheck=1 doesn't gpgcheck everything. Personally I'd go for allowing gpgcheck to have comma seperated values like the following: gpgcheck=none gpgcheck=packages gpgcheck=repo-metadata gpgcheck=warn-repo-metadata gpgcheck=packages,repo-metadata gpgcheck=1 (compat.) gpgcheck=0 (compat.) ...then default gpgcheck=1 to "packages,warn-repo-metadata", and change it to the non-warn varient before fedora-9. We'll probably want to keep the internal code using a boolean, in the short term, for back compat. ... but we can fix that up later quite easily. All config. names thought up on the spot, feel free to suggest better ones, etc.
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Yum-devel mailing list [email protected] https://lists.dulug.duke.edu/mailman/listinfo/yum-devel
