On Fri, 5 Nov 2004, seth vidal wrote:
This is just based on keys in your rpmdb.
The idea is this:
if you have 3 repos available to yum.
They are signed with 3 separate gpg keys. So you've imported all the
keys into your rpmdb. The whole point of the feature I described before
is so you can say:
the only packages I want from this repository are signed with _this_
key. If you get a package from this repository that is signed with any
other key, even if I have that key in my rpmdb, don't trust it.
Ok - here you are saying EACH package is signed. And this pacakge
signature is the one thats compared.
The inferences I get from the above are:
- all packages from all repos should be signed (ideally)
- if an unsigned package is part of the dep-resolve list - then yum
just aborts the transaction
- (Obviously - the main feature) if the 'key' doesn't match the one
seecified for this repo in yum.conf - the transaction is aborted.
I do like this new feature. A couple of questions remain.
- Where does sigining 'metadata' fit in here?
- And this scheme would require rawhide pacakges also to be signed
with some key. (or am I misreading this?)
thanks,
Satish