Le vendredi 29 octobre 2004 à 12:45 -0600, Rodolfo J. Paiz a écrit :
Matías is vehemently pro signing *every* package
Yes. But I never said that a signed repository is a bad solution :-)
Signing repository has its benefit. Signing every packages has its benefit.
But I don't think it's easer to sign a repository than all the packages.
For signing a repository, one command line would be used (I suppose) : - gpg --sign ... OR createrepo --addsign
For signing all packages, one command line would be used : - rpm --addsign <list of rpm package>
If Red Hat can use one of these methods, they can easily do both (It's seems).