On Tue, 28 May 2013 08:49:03 -0500
Bruno Wolff III <bruno(a)wolff.to> wrote:
If we are willing to have packages being signed, just mean they were
built with koji, we could have a tool that could doing the signing so
that packages could move from pending to testing or updates without
human intervention and with the same key being used for all koji
(non-scratch) builds, hard links could be used to save space on the
mirrors for packages that appear in multiple repos.
I looked into this earlier this year. There is a koji plugin to do
this, but it's very unacceptable to koji upstream. It also means we
need to keep signed packages for everything for all time, which is more
space on our end and finally it's a nasty security issue as the
password for the key has to be stored in the plugin that does this.
A possibly nicer idea would be moving to signed repodata. Then if you
see the correct sha512 or whatever in the signed repodata you know the
package is good. That does have downsides too tho, as you can't verify
things once they are obsolete or off line.
Its not an easy problem to solve...