On Mon, 2008-07-28 at 14:25 -0400, Jesse Keating wrote:
On Mon, 2008-07-28 at 12:07 -0500, Matt Domsch wrote:
> 1. repomd.xml needs to be signed. Either attached or detached sig
> (advice sought). If attached, format would be
I would prefer a detached sig, so that the checksum of repomd.xml itself
doesn't change if the GPG sig for it does. This is important as there
are control files in the compose to track consistency of the tree
itself, and having the repomd.xml change it's key would invalidate this
control file.
detached sig definitely. Independent of how (or why) this is done we
will maintain backward compat. Signing the repomd.xml directly will not
allow backward compat (nor cross compat with apt/smart/etc).
I've already written the code for the detached sig - it'll be checked
into yum upstream this afternoon.
-sv