15 Jun
2010
15 Jun
'10
4:37 p.m.
On Tue, 15 Jun 2010 19:23:14 +0300, Aleksis Jauntēvs <aleksis.jauntevs@gmail.com> wrote:
I dont think that repo.db should be signed and it is enough to sign only the packages. As I understand so far the only reason to sign repo.db file is to prevent "replay" situations in repos.
It's the other way round: signing the DB is important while signing single packages is not (but should still be done for some reasons). If the DB is not signed I could simply add additional packages or replace packages. -- Pierre Schmitz, https://users.archlinux.de/~pierre