> > We can live with rpm verification disabled too.
>
> This is a terrible idea from a security perspective.
In embedded linux world, production systems are rarely if ever updated from
package feeds by a package manager. Rather, the whole root filesystem gets
overwritten from an image file.
> So outsourcing the crypto to external gpg executable would be very welcome.
This isn’t going to happen because spawning an external program breaks in too
many situations.
> We can live with rpm verification disabled too.
This is a terrible idea from a security perspective.
--
Reply to this
Just wanted to add the Yocto perspective: we don't have anything against
sequoia, except its build dependencies. It needs both rust and clang (via one
of the crates), rust and cland are both extremely heavy items to build, and we
can't inject them into the core build sequence because it would