Should Fedora rpms be signed?
Douglas Furlong
douglas.furlong at firebox.com
Tue Oct 26 13:24:18 UTC 2004
On Tue, 2004-10-26 at 15:13 +0200, nodata wrote:
> > This has been discussed over and over, so look at the archives. Basically
> > it boils down to the Rawhide RPMs being automatically generated when there
> > isn't always someone around to sign them. Since the whole point of
> > Rawhide is to get new bits out the door the choice is made not to hold
> > them for a live body to sign them.
>
> Then perhaps rawhide should be signed with a separate key that signs the
> packages without a live body.
>
If this is done then it severely reduces the relevance of having them
signed in the first place.
My understanding is that, when a package is "signed" by redhat, a human
steps up to the plate, does certain verifications, then puts in the pass
phrase, and hey presto you have a signed package.
Your suggestion automates the whole process, and drastically reduces the
security model.
Personally, I am 100% happy for the sandpit to continue to be unsigned,
so long as test/released packages are signed, I am happy.
To me, rawhide is only half a step away from CVS, should the CVS access
(once made public) also have every thing GPG signed?
Doug
--
Douglas Furlong
Systems Administrator
Firebox.com
T: 0870 420 4475 F: 0870 220 2178
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-test-list/attachments/20041026/9448ea4e/attachment.sig>
More information about the fedora-test-list
mailing list