[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: Should Fedora rpms be signed?

From: Satish Balay <balay fastmail fm>
To: For testers of Fedora Core development releases <fedora-test-list redhat com>
Subject: Re: Should Fedora rpms be signed?
Date: Mon, 1 Nov 2004 13:34:24 -0600 (CST)

On Mon, 1 Nov 2004, Matias Féliciano wrote:

> A signature, which can be part of a quality process, ensure where the
> information/data/package come from. A signature is not a certificate of
> quality _without_ a quality process.

Totally agree. All the points raised so far were mostly releated to QA
for RHEL.

One can argue that even rawhide has a QA - and the gpg-sign is part of
the QA proces - However the QA for RHEL is totally different from QA
for Fedora (release) - which is different from QA for rawhide. So
there is no conflict in the model - and no good reason yet for not
gpg-signing.

Any argument which says 'users will confuse gpg-signed rawhide
packages as RHEL QA'ed packages' is bogus. (Any user infering this
from the gpg-signautre - and thinks its safe to use rawhide instead of
fedra-core-release/RHEL is nuts)

Satish

References:
- Re: Should Fedora rpms be signed?
  - From: Peter Jones
- Re: Should Fedora rpms be signed?
  - From: Matias Féliciano

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]