[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: Should Fedora rpms be signed?

From: Peter Jones <pjones redhat com>
To: For testers of Fedora Core development releases <fedora-test-list redhat com>
Subject: Re: Should Fedora rpms be signed?
Date: Mon, 01 Nov 2004 11:47:48 -0500

On Sat, 2004-10-30 at 01:11 +0200, Matias Féliciano wrote:

> Since rawhide have some unsigned packages I like to know which package
> is not signed and I sign them with my key (so yum always have
> "gpgcheck=1") :
> I mirror rawhide in the i386 directory with rsync, and then I sign
> package that miss gpg.
> Note, I don't sign (that is, change) any package in i386 directory
> (rsync does not like this).

When somebody organizes a man-in-the-middle attack between you and
whichever site you rsync rawhide from , you sign the packages anyway.
Can you see how this is a big problem?

-- 
        Peter

Follow-Ups:
- Re: Should Fedora rpms be signed?
  - From: Matias Féliciano

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]