On Mon, 21 May 2007, Troy Dawson wrote:

> Jon Peatfield wrote:
> ...
>>
>>  I'm now puzzling over why the default seems to be to ship with all the
>>  yum.repos.d/ entries having gpgcheck=0 surely the extra work of doing a
>>  sig-check isn't so great is it?
>
> It's because java wasn't ever signed.  In the past, we couldn't sign it 
> without breaking it, so whenever that was turned on, it would yell and 
> scream, and people couldn't update any package.

Oh! I'd always assumed it would just refuse to work with packages which 
failed the sig-check not any package in the same repo!!

[ We have never cared about the java packages since we run with versions 
we download/install direct from Sun anyway, but I understand that many 
sites don't want to do that... ]

> With a new gnupg, we are now able to sign the java packages, so it's now a 
> possiblity.  We'll look into it in the next release.

One could always move packages which can't be signed into another repo, 
but that may be just as much work.

  -- Jon