On So Oktober 28 2007, Andrew Farris wrote: > prevent that either (in rawhide). Testing rawhide isn't for boxes with > corporate sensitive data... This seems not to be common knowledge, because afaik even Fedora Maintainers use Rawhide on a system, where they create new packages. > Actually signing the package from the build system would change very little > other than insure that the mirror you're downloading from did not bring in > a new package that doesn't belong. Imho it is a big benefit, because it is very easy for a mirror maintainer to change a package. Also someone who breaks into a mirror can easily cause heavy damage. And last but not least, the manipulation of the package can also happen on the connection to the mirror, e.g. on conferences with free/open wifi/internet access. Regards, Till
Description: This is a digitally signed message part.