Package XYZ is not signed
nodata
lsof at nodata.co.uk
Tue Oct 30 18:30:10 UTC 2007
Am Dienstag, den 30.10.2007, 19:25 +0100 schrieb nodata:
> Am Sonntag, den 28.10.2007, 13:40 -0700 schrieb Andrew Farris:
> > If you keep an eye on where your packages are coming from, even for rawhide,
> > then you can be sure that only authorized maintainers have put them into the
> > system (control which mirrors you're pulling them from). Actually signing the
> > package from the build system would change very little other than insure that
> > the mirror you're downloading from did not bring in a new package that doesn't
> > belong.
>
> It worries me massively, from a security perspective, that someone from
> inside Red Hat would say something as wrong as this.
Oh, you don't work for Red Hat. Sorry. But your statement is still
completely off the field.
> >
> > So as it stands, you have to extend trust to the maintainers, and the mirror.
> > You can pick which mirror you trust.
> >
>
More information about the fedora-devel-list
mailing list