On Tue, 15 Jun 2010 19:23:14 +0300, Aleksis Jauntēvs <[email protected]> wrote: > I dont think that repo.db should be signed and it is enough to sign only > the > packages. As I understand so far the only reason to sign repo.db file is > to > prevent "replay" situations in repos.
It's the other way round: signing the DB is important while signing single packages is not (but should still be done for some reasons). If the DB is not signed I could simply add additional packages or replace packages. -- Pierre Schmitz, https://users.archlinux.de/~pierre
