[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Package XYZ is not signed



On So Oktober 28 2007, Andrew Farris wrote:

> prevent that either (in rawhide).  Testing rawhide isn't for boxes with
> corporate sensitive data...

This seems not to be common knowledge, because afaik even Fedora Maintainers 
use Rawhide on a system, where they create new packages.

> Actually signing the package from the build system would change very little
> other than insure that the mirror you're downloading from did not bring in
> a new package that doesn't belong.

Imho it is a big benefit, because it is very easy for a mirror maintainer to 
change a package. Also someone who breaks into a mirror can easily cause 
heavy damage. And last but not least, the manipulation of the package can 
also happen on the connection to the mirror, e.g. on conferences with 
free/open wifi/internet access.

Regards,
Till

Attachment: signature.asc
Description: This is a digitally signed message part.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]