On Tue, 2007-08-07 at 18:42 +0200, Florian Festi wrote: > seth vidal wrote: > > On Tue, 2007-08-07 at 12:19 -0400, Bret McMillan wrote: > >> seth vidal wrote: > >>> Hi folks, > >>> So I'm trying to put the repomd.xml signing into yum and I'm stuck on a > >>> non-code issue - it's more about policy. > >>> > >>> So if you have a repo like: > >>> > >>> [foo] > >>> name=foo > >>> baseurl=... > >>> gpgcheck=1 > >>> > >>> > >>> and the repomd.xml is NOT signed do we fail out? > >>> > >>> now, my initial response is yes, but it means all those repos with > >>> unsigned repomd.xml will suddenly fail even though the pkgs are signed. > >>> > >>> If we don't fail out then we have to add _something_ to tell the repo to > >>> also fail on invalid repomd.xml signature. I don't like this option > >>> overly much but not failing on a gpg signature missing seems like the > >>> wrong thing, too. > >>> > >>> suggestions welcome? > >> I guess for legacy-support reasons I'd expect this not to be owned by > >> the same gpgcheck option. Personally, I'd add a new option, but default > >> it to on. > >> > > > > that means a yum 3.2.X update for f7 would need to be patched to default > > to off, I think. > > > > maybe this feature is best post-development branching rather than 3.2.X > > May be the best solution is to stick to just "gpgcheck" and update > createrepo right now and tell everybody to fix their repo creation process. > We can then change the yum behavior for the major release 3.3.0 and ship it > only for a new release of Fedora (8 or 9) (and tell all other distributions > to do the same). >
'everybody' is an amazing number of people many of whom we cannot reach. -sv _______________________________________________ Yum-devel mailing list [email protected] https://lists.dulug.duke.edu/mailman/listinfo/yum-devel
