YUM security issues...
Jesse Keating
jkeating at redhat.com
Mon Jul 28 18:25:48 UTC 2008
On Mon, 2008-07-28 at 12:07 -0500, Matt Domsch wrote:
> 1. repomd.xml needs to be signed. Either attached or detached sig
> (advice sought). If attached, format would be
I would prefer a detached sig, so that the checksum of repomd.xml itself
doesn't change if the GPG sig for it does. This is important as there
are control files in the compose to track consistency of the tree
itself, and having the repomd.xml change it's key would invalidate this
control file.
--
Jesse Keating
Fedora -- Freedom² is a feature!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : http://lists.fedoraproject.org/pipermail/infrastructure/attachments/20080728/c5e39c92/attachment.bin
More information about the infrastructure
mailing list