> since all of this information is available > on feed sync: would it not be worth checksumming the download and taking > action (probably electing to ignore the package) if for whatever reason > a checksum is inconsistent? > I agree with this suggestion, but would like the checking to be made even stronger.
I would prefer that the package signature is checked against the repo signing key to be sure that the package hasn't been tampered with or been corrupted along the way. Ben Stanley. _______________________________________________ Pulp-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/pulp-list
