On Mon, 21 May 2007, Troy Dawson wrote:
Jon Peatfield wrote:
...
I'm now puzzling over why the default seems to be to ship with all the
yum.repos.d/ entries having gpgcheck=0 surely the extra work of doing a
sig-check isn't so great is it?
It's because java wasn't ever signed. In the past, we couldn't sign it
without breaking it, so whenever that was turned on, it would yell and
scream, and people couldn't update any package.
Oh! I'd always assumed it would just refuse to work with packages which
failed the sig-check not any package in the same repo!!
[ We have never cared about the java packages since we run with versions
we download/install direct from Sun anyway, but I understand that many
sites don't want to do that... ]
With a new gnupg, we are now able to sign the java packages, so it's now a
possiblity. We'll look into it in the next release.
One could always move packages which can't be signed into another repo,
but that may be just as much work.
-- Jon
