15 Jun
2010
15 Jun
'10
12:43 p.m.
On Tuesday 15 June 2010 19:37:00 Pierre Schmitz wrote:
On Tue, 15 Jun 2010 19:23:14 +0300, Aleksis Jauntēvs
<aleksis.jauntevs@gmail.com> wrote:
I dont think that repo.db should be signed and it is enough to sign only the packages. As I understand so far the only reason to sign repo.db file is to prevent "replay" situations in repos.
It's the other way round: signing the DB is important while signing single packages is not (but should still be done for some reasons).
If the DB is not signed I could simply add additional packages or replace packages.
Yes, but if we compare the repo.db's with other mirrors then we could tell that this has happened. -- Aleksis Jauntēvs