Marcus Rueckert <darix@opensu.se> writes:
On 2008-01-25 21:12:45 +0100, Susanne Oberhauser wrote:
Adrian Schröter <adrian@suse.de> writes:
Is there an ETA when this is going to be fixed? I depend on it, because I intented to work on the redirector this week... for which I need a functional Apache and Apache:Modules project.
actually, I am not that sure that this should be changed.
How should an external see that this package was not build by this certain project/person ?
I'd rather prefer the additional (aggregated) key to be distributed via this project (aggregating the package).
Does the package management support several keys in one repo?
rpm does not support multiple sigs on one rpm.
a) I wouldn't put bets on that (I think it does, maybe buggy on and off, but you can add multiple signatures and installation will succeede if one of the key is in /bin/rpm's keyring) b) I meant multiple keys in the _repo_, not the package, so hard links work: I propose that an aggregated repo not only aggregates the the packages but also hosts all keys used to sign these packages. the project maintainer who does the aggregation claims these packages are ok. Now the Q is: is there a way that the user selects this repo and YaST imports all the keys as trusted for rpms? But hinking through it, alternatively, as rpm does support multiple signatures on the same package, would it be ok if aggregaton adds a blessing to the package and it gets dual signed in both repos? So I think the following would do the trick too: I alternatively propose that aggregation means blessing of a package, so the package will be signed with the original repo's key as well as with the aggregating repo's key. In addition to maintaining 'hardlinkability' I think the semantics are ok: you'd never aggregate a package that you don't trust. And the other way 'round the additional signature in the other repository won't harm, AFAICT it's sufficient to trust one of the signatures to get a package installed so the aggregating signature doesn't change anything. S. -- Susanne Oberhauser +49-911-74053-574 SUSE -- a Novell Business OPS Engineering Maxfeldstraße 5 Processes and Infrastructure Nürnberg SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nürnberg) --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org