Le vendredi 29 octobre 2004 à 12:45 -0600, Rodolfo J. Paiz a écrit :
Matías is vehemently pro signing
*every* package
Yes. But I never said that a signed repository is a bad solution :-)
Signing repository has its benefit.
Signing every packages has its benefit.
But I don't think it's easer to sign a repository than all the packages.
For signing a repository, one command line would be used (I suppose) :
- gpg --sign ... OR createrepo --addsign
For signing all packages, one command line would be used :
- rpm --addsign <list of rpm package>
If Red Hat can use one of these methods, they can easily do both (It's
seems).