On Fri, Jun 11, 2021 at 11:46:42AM -0400, Neal Gompa wrote:
I would like repos signed even if we don't enable it in the repo
definitions by default for now. That would make it possible for my Open
Build Service instance to validate Fedora content for package builds
(it can't use metalinks or mirrorlists, but it can check and validate
signed repodata). I asked CentOS years ago to do this for the same
reason, and they did it[1].
Sure, and when we can we can... but I don't think it should be
prioritzed over work that actually has wider benifits.
Also, not having it available has made it *very* hard to prioritize
getting the issues fixed in DNF. So being able to improve this is
predicated on the existence of signed metadata.
This seems odd to me. I mean, it can't be hard to setup a test repo, is
it? I suspect we could even ask QE folks to do some testing and map out
the issues they find. I don't think it's nice/ethical to break users
just as a means to make bugs we want to have fixed higher priority.
Anyhow, we are pretty off topic for this thread, so I'll try and stop...
kevin