On Oct 26, 2004, seth vidal <skvidal(a)phy.duke.edu> wrote:
> Just don't let yum install packages that aren't signed.
How about
> you start a rawhide mirror with the following properties: if a
> package is not signed, it won't be in your mirror; you'll keep the
> previous version of such package instead.
Then it would not be a rawhide mirror. It would be a rawhide
distortion.
mirror implies an identical reflection. :)
Well, not quite. Plane mirrors do. And, even then, there's a small
delay for the light to get from you to the mirror and back, so when
you see your image in the mirror, you're no longer what you're seeing
there :-) This wouldn't be that different :-)
You could download the header from the package and look beyond it to
see
if there are any non-md5/sha1 signatures and if any of those are gpg
signatures. However, you won't be able to know if it passes the sig
check w/o downloading the whole package. And boy would that suck for the
user.
No dispute here. But if it could, later on, realize that the package
was signed and use http interval fetch tricks to obtain only the
signature, it would be way cool.
> It's unlikely that signed packages will have dependencies on
unsigned
> packages, because of the way signing is done, so odds are that, given
> daily rawhide pushes, you'd be able to move forward quite regularly.
except that testing would crawl to a halt on the unsigned packages.
Which would be a good reason for the key bearers :-) to actually sign
packages that go to rawhide more often.
--
Alexandre Oliva
http://www.ic.unicamp.br/~oliva/
Red Hat Compiler Engineer aoliva(a){redhat.com, gcc.gnu.org}
Free Software Evangelist oliva(a){lsd.ic.unicamp.br, gnu.org}