> > If RPMFusion ships configuration for other repos, the package should > also include the GPG key, set gpgcheck=1 and include only the intended > packages with includepkgs to minimise security problems. > > Regards > Till >
I have done some examples in the system-config-repo upstream, all includes the gpg key. (and system-config-repo has some basic tooling to inspect it, should be improved). All examples I have looked into so far, is basically just to make a specific application available. As long as this is technically sound (no idea, never used this one) the includepkgs idea looks great to me. Cheers, --alec