[Bug 569] please gpg-sign repomd.xml files, enable repo_gpgcheck=1 in yum .repo files

Michael Schwendt mschwendt at gmail.com
Thu Apr 8 15:07:49 CEST 2010


On Sun,  4 Apr 2010 21:25:51 +0200, RPM wrote:

> http://bugzilla.rpmfusion.org/show_bug.cgi?id=569
> 
> 
> 
> 
> 
> --- Comment #10 from Thorsten Leemhuis 2010-04-04 21:25:50 ---
> (In reply to comment #9)
> > Is this problem fixed ?
> 
> I would not call it a problem, more a RFE -- for something that even Fedora
> sill doesn't do iirc
> 
> but whatever: seems this is one of the dozens of things in RPM Fusion that
> really would be nice to fix or improved, without anybody working on it :-((
> (and most of the other things that need to get improved are way more important
> IMHO)

RFEs like this are in need of _somebody_ to make decisions.

In particular: Is using "gpg-agent" an option? (I think it is)
Would using "expect" be considered acceptable? (I don't like it)

As I've mentioned in that bz ticket last year, a repomdsigncmds feature is
available in the pushscripts. It just needs to be configured _and_
evaluated. Without using gpg-agent (or expect), one would need to enter
the key passphrase too often (IMO), however. Has anyone followed the
development of the signing server (and its requirements)?

A fundamental problem with RPMFusion is that at the management level there
is no work-horse to "just do it", i.e. to decide on something and work
with contributors on feasible solutions. Where something sucks, it needs
somebody to say "we want to improve in that area" and to put something
onto an agenda (or call it "wishlist").


More information about the rpmfusion-developers mailing list