No more deltarpms by default

Panu Matilainen pmatilai at
Mon Oct 6 18:31:37 UTC 2014

On 10/06/2014 07:53 PM, Jonathan Dieter wrote:
> As mentioned elsewhere, the problem *is* signatures.  yum (quite
> rightly) refuses to install an rpm whose signature doesn't match the one
> in the primary repodata.  And I believe that the signature in the RPM is
> also over the whole compressed rpm.  To make this work, we'd need to add
> an "uncompressed" signature for every package to the primary repodata as
> well as probably the rpms themselves.

IIRC repodata doesn't carry signatures, it caries a (sha256) checksum of 
its own on the entire package. Rpm signatures are a different beast: 
there's (sha1) checksum and a signature on the header, plus "rpm v3" 
checksum and signature on header + payload. rpm -K style signature 
checking is the only thing that looks at the header + payload checksum 
and signature, otherwise rpm only uses the checksum/signature on header, 
which of course then has checksums of the individual files.

Rpm can (and usually does) ignore the payload signature, file-level 
checksums get checked anyway (that too *can* be disabled but...)
However it still requires the input data to be compressed in the format 
specified in the header. So to avoid having to compress tons of data 
only to decompress it shortly afterwards, there would have to be a way 
to tell librpm to expect a different payload compression (or 
specifically, that the payload is not compressed). Shouldn't be rocket 

	- Panu -

More information about the devel mailing list