[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Should Fedora rpms be signed?



A recent scam involving fake updates to Fedora has highlighted the lack of
signed RPMs for Fedora Core.

"Red Hat has been made aware that emails are circulating that pretend to
come from the Red Hat Security Team"
[..]
"All official updates for Red Hat products are digitally signed and should
not be installed unless they are correctly signed and the signature is
verified."
 -- http://www.redhat.com/security/

It's possibly that some of the people testing Fedora Core are connected to
a network of machines that they'd rather not put at risk. It might also be
possible that a user testing Fedora Core could even use the same password
as another machine connected to that network.
Perhaps some users of Fedora Core also have personal information stored on
the machine which FC is installed on.

I posted a bug. I got a reply, from Duke:
"1. fedora core is not a product, it is a project.
 2. releases from rawhide are not official."
 -- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=136461

What does the list think about signed RPMs - are they unnecessary for a
community project, or are they useful?


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]