On Mon, 21 May 2007, Troy Dawson wrote: > Jon Peatfield wrote: > ... >> >> I'm now puzzling over why the default seems to be to ship with all the >> yum.repos.d/ entries having gpgcheck=0 surely the extra work of doing a >> sig-check isn't so great is it? > > It's because java wasn't ever signed. In the past, we couldn't sign it > without breaking it, so whenever that was turned on, it would yell and > scream, and people couldn't update any package. Oh! I'd always assumed it would just refuse to work with packages which failed the sig-check not any package in the same repo!! [ We have never cared about the java packages since we run with versions we download/install direct from Sun anyway, but I understand that many sites don't want to do that... ] > With a new gnupg, we are now able to sign the java packages, so it's now a > possiblity. We'll look into it in the next release. One could always move packages which can't be signed into another repo, but that may be just as much work. -- Jon