On Mon, 2005-04-04 at 09:18 +0200, Nils Philippsen wrote: > > We had that discussion with FC3 devel (or was it FC2?) already -- I > argued that we should somehow ensure that all packages leaving the build > system (i.e. getting pushed) would be signed with at least some key to > ensure package integrity while others argued that this would somehow > suggest a level of quality in the package which isn't given. The > discussion didn't lead anywhere tangible unfortunately. > It seems to me that the purpose of the sig is not so much as a guarantee of quality, as opposed to an insurance that the package hasn't been tampered (especially if you are pulling packages off of mirrors). Granted, that isn't how everyone else may interpret it, but I'd rather see all rawhide packages signed so that if I'm pulling from a mirror I can feel reasonably assured that someone isn't slipping some badness into my firefox update or whatever. -- David Hollis <dhollis davehollis com>
Attachment:
signature.asc
Description: This is a digitally signed message part