Should Fedora rpms be signed?
nodata
fedora at nodata.co.uk
Thu Oct 28 12:34:22 UTC 2004
>
> Matias Féliciano said:
>> Le mardi 26 octobre 2004 à 08:25 -0400, William Hooper a écrit :
>>
>>> nodata said:
>>>> A recent scam involving fake updates to Fedora has highlighted the
>>>> lack of signed RPMs for Fedora Core.
>>>
>>> How? Would it make you feel better if the fake updates had installed a
>>> signature first?
>>
>> Impossible. gpg check is done _before_ installing the package.
>
> Very possible. The fake updates weren't directly an RPM, the instructions
> had you run a shell script.
Yes, but that's not really the point.
The point is that the RPMs are not signed.
It's not really important how it came to be noticed that the RPMs were not
signed (i.e. the announcement about the recent scam)
It's not really relevant either than RPMs can verify themselves.
The whole point of my post was that there is no way to verify a rawhide
RPM originated from Red Hat.
True, signing them would devalue the signing key, but NOT signing them
devalues the RPMs even more because they cannot be automatically verified
using a package manager.
>
> --
> William Hooper
>
> --
> fedora-test-list mailing list
> fedora-test-list at redhat.com
> To unsubscribe:
> http://www.redhat.com/mailman/listinfo/fedora-test-list
>
More information about the fedora-test-list
mailing list