Its finally time to get rid of a whole lotta pain and eliminate header 
+payload
signatures.

The header-only signatures on metadata are sufficient, 2 signatures is
as likely to be worse as better than either signature alone, and  
leads to
an enormous amount of complexity that makes little sense now that the
Header and the Payload are actually 2 different files in a XAR archive
going forward.

So this week is the very last opportunity to express any concerns.

Are there any concerns?

At the same time I'm going to remove the ability to sign with pgp/pgp5.
I have not looked at that code for like 4 years, and I doubt that  
there is
anyone still using pgp/pgp5 to sign rpm packages, gpg is far more widely
deployed and trusted, with more algorithms like RSA/SHA1, than was
the case in 1999.

I'll be happy to resurrect pgp/pgp5 signing if there are any  
volunteers to test.

Any volunteers? ;-)

73 de Jeff