Submission policy
Michael Schwendt
fedora at wir-sind-cool.org
Sun Jul 4 13:35:01 UTC 2004
On Sun, 04 Jul 2004 14:29:04 +0200, Leonard den Ottolander wrote:
> Hi,
>
> A question regarding submission policy
> (http://www.fedora.us/wiki/PackageSubmissionQAPolicy):
> Item 4: Why does one need to rpm --resign instead of rpmbuild --sign,
> and why as a different user? Especially the latter puzzles me.
In one word: paranoia.
The user account used to do the compilation should not have access to
any security relevant files, including GPG private keys. It all boils
down to just another matter of trust. If packager does trust upstream
developers and upstream source tarball integrity, rpmbuild --sign is
not considered a problem.
> I think it's a good idea to also add this explanation to that page.
Most likely an even better idea is to move it onto the PackagingHints
page.
More information about the fedora-devel-list
mailing list