On Fri, 2004-10-29 at 22:56 +0200, Matias Féliciano wrote:
But I don't think it's easer to sign a repository than all
the packages.
For signing a repository, one command line would be used [...]
For signing all packages, one command line would be used [...]
If Red Hat can use one of these methods, they can easily do both (It's
seems).
Your logic is seriously flawed. The repository is created once, and
updated on a specific and regular schedule. The entire repository
metadata is signed at one time and in a predictable fashion.
Precisely the problem which has been pointed out about signing every
package is that there is no one around at the particular time when a few
packages are finally ready, and it is those that do not get signed. But
all packages are finished at different times, so it is impractical to
suggest that all packages can be signed together with a single command.
Cheers,
--
Rodolfo J. Paiz <rpaiz(a)simpaticus.com>