Playground DNF plugin

Kevin Fenzi kevin at scrye.com
Fri Apr 18 16:49:33 UTC 2014


On Fri, 18 Apr 2014 12:03:52 +0200
Tadej Jane┼ż <tadej.janez at tadej.hicsalta.si> wrote:

> On Wed, 2014-04-16 at 15:42 +0200, Miroslav Suchy wrote: 
> > 
> > Why you need separate key?
> 
> To enhance the security by clearly separating packages which belong to
> some (random) COPRs and those which belong to COPRs that are part of
> the Playground repository.
> (BTW, will (future) signing in Copr use a separate key for each user
> or a separate key for each user-repo?)
> 
> For example, secondary arches in Fedora use a different key than the
> primary arches. RPMFusion uses different keys for free and nonfree
> repos.

...snip...

I'll toss out another option for folks to consider: Signed repodata. 

In this setup you don't sign packages at all, you sign the repodata
only. This has some advantages (you only have to resign when you change
the repo, you don't have to touch the packages directly, etc) and some
disadvantages (there's no history, so if the package is installed and a
newer one is in the repodata after that you can't tell if the one you
have installed is one trusted by the repo, etc). 

We thought about doing this for Fedora a while back, and I am not sure
where yum/dnf support is for it, but it might be worth looking into for
the playground repo. 

kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/env-and-stacks/attachments/20140418/b781fa35/attachment.sig>


More information about the env-and-stacks mailing list