brianloss commented on pull request #412: URL: https://github.com/apache/fluo-muchos/pull/412#issuecomment-936115222
> If we ignored the SHA512 sum and just validated the signature, then it wouldn't matter if the SHA512 changed, as long as the signature is trusted. If we could make yum fail when there's no GPG signature in the package, then this would be the best option. However, there appears to be no way to do that. If the package we were downloading got replaced with one having no signature, nothing would fail and there would be only a warning about a missing signature. Given that, it's probably better to live with the annoyance of the checksum changing--at least the install fails when the signature changes. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
